This scenario is especially dangerous as it often goes undetected by developers. If you are building a system that will serve music — e.g. an online radio — or content that is licensed on a per-user basis, and you are using third party software with no audit capabilities, then you might have a very high risk of local denial of service. When it comes to user-licensed content, the content owner (e.g. record label or movie studio) is the only one who knows exactly what can be done with their content, and they are the only ones who can ensure that they are using the right license. If we are talking about a system like YouTube, where every user can upload any kind of content, it is hard to audit every single piece of uploaded content as it might be very difficult to determine what is actually allowed and what is not.
Local Denial of Service
Local denial of service (LDoS) is an attack in which attackers flood the victim computer with traffic, causing it to be unable to process legitimate requests.
This is especially dangerous as it often goes undetected by developers.
What does CVE-2022-38679 do?
An attack that exploits a buffer overflow flaw in third-party software. It is a type of DoS condition where, instead of simply crashing the application, a user can send it such an overwhelming amount of data, the application becomes overloaded and crashes.
The code in question is prone to buffer overflows. The attacker is able to send a request with a lot more data than it should be able to handle. The server then crashes because it cannot process all the incoming data.
Vulnerable software includes browsers and software libraries which have not been updated with security patches.
How to commit local denial of service
As the owner of a system where content is being served to users, you can commit local denial of service by making it possible for one user to consume more than his fair share of resources. This can be done with a single webpage or with larger architectural considerations.
First, you need to ensure that your server doesn't limit connections to the web application in any way. If your server has a TCP port open for incoming connections, then you should use this port for outgoing connections as well. If your server has more than one TCP port open, then you should make sure that both are used equally (e.g. one server might have an additional HTTP port open).
If there is no limitation on incoming and outgoing traffic, then you must account for the total number of active users. If there are only 1000 unique visitors, then each visitor would need 10 MB per hour of throughput from the server. However, if there are 5000 unique visitors each visiting at once and consuming 50 MB per hour of throughput from the server, then each visitor needs 5 MB per hour of throughput from the server.
Taking all these factors into account will help with determining how much capacity you will need on your servers and under what circumstances they may be required to be upgraded or replaced entirely.
Description of the vulnerability
This vulnerability is particularly dangerous; it often goes undetected by developers. If your system or application will serve content (e.g. an online radio), you might have a very high risk of local denial of service as the only ones that know what can be done with their content are the owners of the content.
If we are talking about a system like YouTube, where everyone can upload any kind of content, it is difficult to monitor uploaded content as it might be hard to determine what is allowed and what is not.
Timeline
Published on: 10/14/2022 19:15:00 UTC
Last modified on: 10/18/2022 18:53:00 UTC