Facebook last month patched a critical denial-of-service vulnerability in Fizz, its open-source implementation for Transport Layer Security protocol TLS 1.3, researchers have reported.
Unauthenticated remote attackers could exploit the flaw to create an “infinite loop,” causing the web service to be unavailable for other users and thus disrupting service, according to a March 19 blog post from Semmle, whose researcher Kevin Backhouse uncovered the issue.
And because Facebook made Fizz’s source code available for public use last August, other web services can potentially be attacked this way as well if they fail to apply secure updates.
“The impact of the vulnerability is that an attacker can send a malicious message via TCP [Transmission Control Protocol] to any server that uses Fizz and trigger an infinite loop on that server. This could make the server unresponsive to other clients,” Backhouse states in a technical report he authored. “The size of the message is just over 64KB, so this attack is extremely cheap for the attacker, but crippling for the server.”
One computer with a standard domestic internet connection of 1Mbps upload speed could send two malicious TCP messages per second, Backhouse explains. “Since each message knocks out one CPU core, it would only take a small botnet to quickly debilitate an entire data center.”
Semmle said its team privately disclosed the problem to Facebook on Feb. 20, and that a patch was published five days later. Backhouse says he wrote a proof-of-concept exploit that triggers the DoS condition, but will not publish it under Fizz users have an adequate window to implement the patch.
“We greatly appreciate the time and energy the white-hat research community puts into helping us to keep the Facebook community safe,” said a Facebook statement, as quoted in Semmle’s blog post. “No user content or information could have been impacted in that scenario. We have fixed the issue hours after receiving the report and shortly after pushed the fix to Fizz on GitHub to ensure that others in the open source community can update to prevent this type of issue. We have no evidence to suggest that our services or infrastructure have been impacted by this bug.”
For his efforts, Backhouse earned a $10,000 bug bounty, even though Facebook generally does not reward for DoS vulnerabilities. However, Semmle asked Facebook to donate this money to charity, and so by policy the social media giant will double the contribution to $20,000, Semmle reports.