ASA-2019-00518 – nginx: Excessive CPU usage in HTTP/2 with small window updates

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00518

Identifier(s)

ASA-2019-00518, CVE-2019-9511

Title

Excessive CPU usage in HTTP/2 with small window updates

Vendor(s)

NGINX, Inc

Product(s)

nginx

Affected version(s)

nginx versions since 1.9.5 up to and including 1.17.2

Fixed version(s)

nginx version 1.17.3
nginx version 1.16.1

Proof of concept

Unknown

Description

Several security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).

The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the “http2” option of the “listen” directive is used in a configuration file.

Technical details

The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

Credits

Jonathan Looney (Netflix)

Reference(s)

nginx security advisories
https://nginx.org/en/security_advisories.html

[nginx-announce] nginx security advisory (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516)
https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html

HTTP/2 Denial of Service Advisory
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

Bug 1741860 (CVE-2019-9511) – CVE-2019-9511 HTTP/2: large amount of data request leads to denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-9511

HTTP/2: limited number of DATA frames.
https://hg.nginx.org/nginx/rev/99b6733876c4

NGINX Updates Mitigate the August 2019 HTTP/2 Vulnerabilities
https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/

CVE-2019-9511 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-9511

CVE-2019-9511
https://security-tracker.debian.org/tracker/CVE-2019-9511

CVE-2019-9511 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9511.html

CVE-2019-9511 | SUSE
https://www.suse.com/security/cve/CVE-2019-9511

CVE-2019-9511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511

CVE-2019-9511
https://nvd.nist.gov/vuln/detail/CVE-2019-9511

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 2, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.