Source: cve-assign@fb.com
Proxygen fails to validate that a secondary auth manager is set before dereferencing it. That can cause a denial of service issue when parsing a Certificate/CertificateRequest HTTP2 Frame over a fizz (TLS 1.3) transport. This issue affects Proxygen releases starting from v2018.10.29.00 until the fix in v2018.11.19.00.
Proxygen, a Facebook-developed HTTP/2 proxy library, is vulnerable to a Denial of Service (DoS) attack. This vulnerability, triggered by a crafted Certificate/CertificateRequest HTTP/2 frame over a TLS 1.3 connection, allows attackers to crash the service by dereferencing a null pointer, rendering the service unavailable.
Step 1: Connection Establishment: The attacker establishes a TLS 1.3 connection to a server utilizing Proxygen.
Step 2: Frame Injection: The attacker crafts a malicious Certificate/CertificateRequest HTTP/2 frame. This frame is designed to trigger the vulnerability.
Step 3: Frame Processing: The Proxygen library receives and begins to process the malicious frame.
Step 4: Authentication Manager Dereference: The code attempts to use the secondary authentication manager without first checking if it's initialized.
Step 5: Null Pointer Dereference: Because the authentication manager is not initialized (or is null), the code attempts to dereference a null pointer.
Step 6: Crash and DoS: The null pointer dereference causes a crash, leading to a denial-of-service condition, making the service unavailable.
The vulnerability stems from a missing validation check within Proxygen's handling of HTTP/2 frames over a TLS 1.3 connection. Specifically, the code fails to verify if a secondary authentication manager is initialized before attempting to use it. When a malicious Certificate/CertificateRequest frame is received, the code attempts to dereference a null pointer, leading to a crash. The root cause is a null pointer dereference due to the absence of a null check before accessing the secondary authentication manager. This results in a segmentation fault and a subsequent denial of service condition. The flaw lies within the frame parsing logic, specifically in the handling of the Certificate/CertificateRequest frame type and its interaction with the authentication manager. The lack of proper error handling and input validation allows for the exploitation of this logic flaw.
Due to the age of the vulnerability, it's unlikely to be actively targeted by sophisticated APTs. However, it could be exploited by less skilled attackers or incorporated into automated scanning tools. CISA KEV status: Not Listed.
Analyze server logs for unexpected crashes or segmentation faults related to Proxygen processes.
Monitor network traffic for unusual HTTP/2 Certificate/CertificateRequest frames, especially those with malformed or unusual content.
Implement intrusion detection system (IDS) rules to identify suspicious HTTP/2 frame patterns.
Review core dumps for null pointer dereferences within Proxygen code.
Use network traffic analysis tools (e.g., Wireshark) to inspect TLS 1.3 traffic for suspicious HTTP/2 frames.
Upgrade Proxygen to a patched version (v2018.11.19.00 or later).
Implement input validation to ensure the secondary authentication manager is initialized before use.
Apply security patches promptly.
Regularly update all dependencies and libraries.
Implement a web application firewall (WAF) to filter malicious HTTP/2 traffic.
Consider using a reverse proxy with more robust security features in front of the vulnerable service.