Cloudbleed-like bug affected cloud computing service from Fastly, a H2O contributor

Fastly patches memory leak HTTP/3 vulnerability in H2O HTTP server project

An uninitialized memory leak vulnerability in the H2O HTTP server project has been patched.

In a technical write-up published on January 31, independent security researcher Emil Lerner said the bug impacted the Fastly cloud computing service and allowed attackers to steal “random requests and responses from uninitialized memory of its’ nodes”.

H20 is an open source optimization project for HTTP/1, HTTP/2, and HTTP/3 servers. The project is available under an MIT license and has proven popular with 771 forks.

READ MORE HTTP/3: Everything you need to know about the next-generation web protocol

Somewhat akin to the ‘Cloudbleed’ security flaw disclosed by Google’s Project Zero team in 2017, Lerner says the bug relates to how HTTP/3 is implemented server-side. HTTP/3 is a next-generation web protocol that utilizes QUIC – initially developed by Google – and space congestion control over UDP.

QUIC frames

Originally, Lerner was on the hunt for instances of HTTP request smuggling. Upon examination of H2O and the discovery that Fastly runs over QUIC, however, the researcher found an implementation bug that arises if an attacker sends QUIC frames to a server in a specific order.

The vulnerability, now tracked as CVE-2021-43848 and issued a ‘moderate’ severity score, can be exploited when the QUIC frames are sent to ‘misguide’ the H2O server into treating uninitialized memory as HTTP/3 frames that have been received.

Catch up on the latest open source software security news

In addition, if H2O is being used as a reverse proxy, miscreants could abuse the system to send the internal state of H2O to attacker-controlled servers.

The internal state of the server can’t be controlled and so the data dumped varies – and could include connection traffic, TLS session tickets, other users’ requests and responses, or “something else present in H2O’s previously freed memory,” according to Fastly.

CVE-2021-43848 impacts H2O servers with HTTP/3 support between GitHub commits 93af138 and d1f0f65.

Fastly fixes fast

Lerner reported the vulnerability on November 23, 2021. Fastly, a main contributor to the H2O project, triaged the issue a day later, and by November 29, the firm’s security team was able to both reproduce and confirm the security flaw. Engineering then took over, developing a fix and confirming with the researcher that the proposed changes resolved the issue. The patch was rolled out on December 8.

Fastly says there is no evidence to suggest the vulnerability has been exploited in the wild.

When approached for comment, Fastly pointed us to a blog post describing the disclosure process.

“In the end, we awarded the report a bounty [and] the entire process took just about two weeks, a turnaround we’re truly proud of – and that we credit to the great work being done on this team,” Fastly said.

The company also thanked Lerner for his report.

DON’T FORGET TO READ Critical Samba flaw presents code execution threat