Semmle announced today that it has found a critical denial of service (DoS) vulnerability in the Fizz project, Facebook’s open source implementation of the transport layer security (TLS) protocol. Fizz is used to facilitate secure communications with web services, and is used on most of Facebook’s internal and external infrastructure. The source code for Fizz was made open source by Facebook in August 2018, so it is likely used more widely by other organizations and open source projects. The vulnerability was reported on February 20, 2019 and fixed immediately. A patch was published on February 25, and the vulnerability has been assigned CVE-2019-3560.
Severity and mitigation
The vulnerability is relatively easy to trigger by an unauthenticated remote attacker, and causes an infinite loop in Fizz. As a result, the web service will become unavailable for any other users. While the vulnerability is classified as a denial of service because it enables an attacker to disrupt the service, it is not possible to gain unauthorized access to user data.
In a blog post about Fizz published in August of last year, Facebook engineers explained how Fizz is deployed:
We have deployed Fizz and TLS 1.3 globally in our mobile apps, Proxygen, our load balancers, our internal services, and even our QUIC library, mvfst. More than 50 percent of our internet traffic is now secured with TLS 1.3.
By exploiting this vulnerability, an attacker could potentially take down any infrastructure that relies on Fizz. Facebook have since upgraded their web services and are no longer vulnerable.
All other web applications that rely on Fizz are advised to upgrade their Fizz libraries as a matter of urgency. A patch for this vulnerability has been included in Fizz version 2019.02.25.00 (and later).
About the discovery
The vulnerability was discovered by Kevin Backhouse of the Semmle Security Research team. He used QL to model the attack surface of Fizz, and then used taint analysis to investigate whether an attacker-controlled input could cause anything bad to happen. This uncovered an integer overflow in a 16-bit unsigned addition, leading to an infinite loop.
Fizz is written in a modern C++ style, so it’s unlikely to have something like a buffer overflow, which is so common in older C projects. That’s why I used QL to query for integer overflows instead. The overflow I found causes the code to enter an infinite loop, which could be used to launch a denial of service attack.
Facebook acknowledged our report of the vulnerability and moved quickly to patch affected servers. Here is the formal response from Facebook Security for our bug bounty report:
We greatly appreciate the time and energy the white-hat research community puts into helping us to keep the Facebook community safe. That is exactly why we have built our bug bounty program. In this particular case, we received a bug bounty report about a bug in Fizz (https://code.fb.com/security/fizz/), the open source TLS library, which could have allowed an attacker to cause denial of service issues.
No user content or information could have been impacted in that scenario. We have fixed the issue hours after receiving the report and shortly after pushed the fix to Fizz on GitHub to ensure that others in the open source community can update to prevent this type of issue. We have no evidence to suggest that our services or infrastructure have been impacted by this bug.
As a result of this discovery, Facebook has awarded Semmle a $10,000 bug bounty, stating via email, “while denial of service issues are typically not considered as part of our bug bounty program, this submission discussed scenarios which could have had significant risk.”
- 20 February 2019: Privately disclosed to Facebook's White Hat program.
- 20 February: Report acknowledged by Facebook and forwarded to their product team.
- 20 February: Facebook fixed and patched all servers internally.
- 25 February: Patch pushed to the Fizz GitHub repository: https://github.com/facebookincubator/fizz/commit/40bbb161e72fb609608d53b9d64c56bb961a6ee2
- 13 March: Bug bounty confirmed by Facebook.
- 19 March: CVE-2019-3560 disclosed by Semmle.
Semmle takes coordinated disclosure very seriously. In accordance with our standard practice, the Semmle Security Research Team has collaborated with Facebook to ensure an effective patch is made available as quickly as possible. For more information about our security team, the research they do, and our disclosure policy, visit semmle.com/security.
We believe security is a shared responsibility. Our mission is to secure all software by bringing the security and development communities together.
Our technology scales any organization's security expertise using QL to quickly explore any codebase to discover new vulnerabilities and all their variants. We empower product security teams to deliver variant analysis results to development teams using LGTM to ship safe code and protect their customers. Together, Semmle's platform enables the security community to collaborate and share their expertise in the field of variant analysis and security research. Our technology is free to use on open source projects using LGTM.com platform. At the time of writing, analysis results for over 130,000 projects are publicly available on LGTM.com.
Security and software engineering teams at Google, Microsoft, NASA, Nasdaq and Uber depend on Semmle to secure their code. Headquartered in San Francisco, Semmle is a privately held company funded by Accel, with additional offices in Oxford, Copenhagen, New York City, Seattle, and Valencia.