Home > News content

Facebook exception for the open source TLS library Fizz vulnerability rewards $ 10,000

via:博客园     time:2019/3/23 10:03:48     readed:212

Kevin Backhouse, a security researcher at Semmle, found a denial of service vulnerability triggered by a certificate overflow in Facebook's open source TLS library Fizz. Because of the high level of vulnerability, Facebook made an exception to award $10,000 for vulnerabilities that were no longer rewarded.

The following is an excerpt from the researcher's blog post:

Introduction to Fizz

The vulnerability is an infinite loop that can be triggered by an unverified remote attacker. Fizz is Facebook's TLS implementation, which means it's usedHttps://facebook.comIn the “https:” section. According to data released by Facebook on August 6, 2018, “We have deployed Fizz for mobile applications, Proxygen, load balancers, internal services and even the OUIC library mvfst on a global scale. More than 50% of internal traffic is currently protected by TLS 1.3. ”

Since Fizz is an open source project, other projects and organizations may be using it.

Vulnerability severity and mitigation measures

The effect of the vulnerability (CVE-2019-3560) is that an attacker can send malicious information over TCP to any server that uses the Fizz library and trigger an infinite loop on that server, causing the server to fail to respond to other clients. The vulnerability is classified as a denial of service (DoS) vulnerability because it causes an attacker to compromise the service rather than gain unauthorized access. Because the information is only 64KB in size, the cost of launching an attack is extremely low, but it is a significant risk to the server.

A computer with an abnormal civilian-grade Internet connection (1Mbps upload speed) can send two messages per second. Since each piece of information is targeted to a single CPU core, a small botnet is needed to quickly get the entire data center.

I did not find mitigations for this vulnerability, so it is recommended to update to the patched Fizz version v2019.02.25.00 as soon as possible.


I have written a PoC that triggered the vulnerability. It is a simple C program that opens the server's TCP socket and sends a malicious payload that is only 64KB in size. The program closes the socket as soon as the payload is sent, but the server cannot notice this because it is stuck in an infinite loop. I did not test the payload on a real website, but only tested it in the demo server application included in the Fizz source code. However, this vulnerability exists at the core of the Fizz library, not the demo application, so I thinkHttps://facebook.comThere is a risk before submitting a vulnerability.

Facebook has released a patch, but I will post the full details after other Fizz users have updated.

Brief technical analysis

This vulnerability is due to an integer overflow issue in += on line 42 of PlaintextRecordLayer.cpp:

Auto length = cursor.readBE<uint16_t >();

If (buf.chainLength () < (cursor - buf.front ()) + length) {

Return folly::none;


Length += sizeof (ContentType) + sizeof (ProtocolVersion) + sizeof (uint16_t );

buf.trimStart (length);

Continue ;

This code reads a uint16_t from the incoming network packet and assigns it to length. In other words, the length of length is controlled by the attacker. The if statement on line 2 appears to be a bounds check, but it's actually just checking that enough data has been received to continue parsing. That's why the code needs to send 64KB of data: the code does not trigger an integer overflow on line 5 until it receives at least length bytes. This utilization works by setting length = 0XFFFB. This means that after +=, the value of length is 0. It states that calling trimStart on line 7 does not consume any data, so no progress is made until the next iteration of the loop.

The way to fix the vulnerability is also simple: use a type greater than uint16_t to calculate the addition to avoid integer overflow problems.

However, I have not fully explained the full content of the use of the use. Setting length = 0XFFFB This step is easy, and I found it harder to figure out how to build the information that really triggers this line of code. After the Fizz user is updated, I will post the full details.

Vulnerability reward

On March 13, 2019, Facebook sent me an email informing me of a $10,000 reward. Their explanations are as follows:

& ldquo; This vulnerability could have caused a malicious attacker to trigger a denial of service against Facebook infrastructure. While our vulnerability award program does not usually cover such vulnerabilities, the report you submitted discusses scenarios with significant risks. ”


2019-02-20: Submitting a vulnerability through Facebook's white hat plan

2019-02-20: Facebook confirms that the vulnerability exists and is forwarded to the product team

2019-02-20: Facebook fixes all servers

2019-02-25: Facebook pushes fixes on GitHub

2019-03-13: Facebook confirms vulnerability rewards

2019-03-19: Semmle Company Disclosure CVE-2019-3560

The researcher has donated all the bounty to the charity Techtonica in accordance with the company's policy. According to Facebook's regulations, if you choose to donate, Facebook will donate the same amount, so the charity receives a donation of 20,000 US dollars.

Reference source:Lgtm, 360 code guards compiled and compiled, please indicate from FreeBuf.COM.

China IT News APP

Download China IT News APP

Please rate this news

The average score will be displayed after you score.

Post comment

Do not see clearly? Click for a new code.

User comments

Related news