Semmle Discovers Denial of Service (DoS) Vulnerability in Facebook Fizz
Semmle announced today that it has found a critical denial of service (DoS) vulnerability in the Fizz project, Facebook’s open source implementation of the transport layer security (TLS) protocol. Fizz is used to facilitate secure communications with web services, and is used on most of Facebook’s internal and external infrastructure. The source code for Fizz was made open source by Facebook in August 2018, so it is likely used more widely by other organizations and open source projects. The vulnerability was reported on February 20, 2019 and fixed immediately. A patch was published on February 25, and the vulnerability has been assigned CVE-2019-3560.
The vulnerability is relatively easy to trigger by an unauthenticated remote attacker, and causes an infinite loop in Fizz. As a result, the web service will become unavailable for any other users. While the vulnerability is classified as a denial of service because it enables an attacker to disrupt the service, it is not possible to gain unauthorized access to user data.
In a blog post about Fizz published in August of last year, Facebook engineers explained how Fizz is deployed:
By exploiting this vulnerability, an attacker could potentially take down any infrastructure that relies on Fizz. Facebook have since upgraded their web services and are no longer vulnerable.
All other web applications that rely on Fizz are advised to upgrade their Fizz libraries as a matter of urgency. A patch for this vulnerability has been included in Fizz version 2019.02.25.00 (and later).
The vulnerability was discovered by Kevin Backhouse of the Semmle Security Research team. He used QL to model the attack surface of Fizz, and then used taint analysis to investigate whether an attacker-controlled input could cause anything bad to happen. This uncovered an integer overflow in a 16-bit unsigned addition, leading to an infinite loop.
Fizz is written in a modern C++ style, so it’s unlikely to have something like a buffer overflow, which is so common in older C projects. That’s why I used QL to query for integer overflows instead. The overflow I found causes the code to enter an infinite loop, which could be used to launch a denial of service attack."
Facebook acknowledged our report of the vulnerability and moved quickly to patch affected servers. Here is the formal response from Facebook Security for our bug bounty report:
As a result of this discovery, Facebook has awarded Semmle a $10,000 bug bounty, stating via email, “while denial of service issues are typically not considered as part of our bug bounty program, this submission discussed scenarios which could have had significant risk.”
Semmle will be donating the Facebook bounty to Techtonica – which doubles to $20,000 per Facebook’s Bug Bounty Program Terms – as part of our commitment to improve the sharing of expertise in the software industry. In addition, Semmle is matching the original bounty amount of $10,000 with a donation to Kevin’s chosen charity, Community Servings.
Semmle takes coordinated disclosure very seriously. In accordance with our standard practice, the Semmle Security Research Team has collaborated with Facebook to ensure an effective patch is made available as quickly as possible. For more information about our security team, the research they do, and our disclosure policy, visit semmle.com/security.
We believe security is a shared responsibility. Our mission is to secure all software by bringing the security and development communities together.
Our technology scales any organization's security expertise using QL to quickly explore any codebase to discover new vulnerabilities and all their variants. We empower product security teams to deliver variant analysis results to development teams using LGTM to ship safe code and protect their customers. Together, Semmle's platform enables the security community to collaborate and share their expertise in the field of variant analysis and security research. Our technology is free to use on open source projects using LGTM.com platform. At the time of writing, analysis results for over 130,000 projects are publicly available on LGTM.com.
Security and software engineering teams at Google, Microsoft, NASA, Nasdaq and Uber depend on Semmle to secure their code. Headquartered in San Francisco, Semmle is a privately held company funded by Accel, with additional offices in Oxford, Copenhagen, New York City, Seattle, and Valencia.