HPACK Bomb

Hyper Project security advisory, August 4th 2016.

Vulnerability

A HTTP/2 implementation built using the priority library could be targetted for a denial of service attack based on HPACK, specifically a so-called “HPACK Bomb” attack.

This attack occurs when an attacker inserts a header field that is exactly the size of the HPACK dynamic header table into the dynamic header table. The attacker can then send a header block that is simply repeated requests to expand that field in the dynamic table. This can lead to a gigantic compression ratio of 4,096 or better, meaning that 16kB of data can decompress to 64MB of data on the target machine.

It only takes a few such header blocks before the attacker has forced the target to allocate gigabytes of memory, which will take the process down. This requires relatively few resources on the part of the attacker.

While we are not aware of any attacker actively exploiting this vulnerability, it has been public disclosed in this report, and so users should assume that they are likely to be targetted by such an attack.

Info

This issue has been given the name CVE-2016-6581.

Affected Versions

This issue affects all versions of the HPACK library prior to 2.3.0. It also affects versions of the Hyper client library earlier than 0.6.0, which bundled a copy of the HPACK library.

The Solution

In version 2.3.0, the HPACK library limits the maximum decompressed size of the header block. It does so by essentially adding support for the HTTP/2 setting SETTINGS_MAX_HEADER_LIST_SIZE. This value defaults to 64kB, but is user-configurable.

If it is necessary to backport a patch, the patch can be found in this GitHub pull request.

Recommendations

We suggest you take the following actions immediately, in order of preference:

  1. Update HPACK to 2.3.0 immediately.
  2. Backport the patch made available on GitHub.
  3. Substantially decrease the maximum size of the compressed header block your application will accept, or alternatively ensure that each decompressed header block is freed before your application processes the next one.

If you have a copy of the Hyper client library, we recommend taking the following actions, in order of preference:

  1. Update hyper to any version later than 0.6.0
  2. Backport the patch made available on GitHub.

Timeline

This class of vulnerability was publicly reported in this report on the 3rd of August. We requested a CVE ID from Mitre the same day.

HPACK 2.3.0 was released on the 4th of August, at the same time as the publication of this advisory.