Facebook Fizz project contained critical denial-of-service bug

• This serious vulnerability is the result of an integer overflow which subsequently leads to an infinite loop issue in Fizz.
• Facebook released patched version to address the denial-of-service vulnerability in Fizz.

Fizz, Facebook’s implementation of the TLS protocol, had a critical security flaw that could have enabled attackers to perpetrate DoS attacks on servers.

According to IT firm Semmle which found this flaw, the vulnerability can be triggered by an unauthenticated remote attacker and can possibly corrupt web services that use Fizz. Luckily, Facebook has patched this flaw in recent versions of Fizz.

What is the vulnerability?

• Integer overflows can cause the code to enter an infinite loop in Fizz and subsequently set off a DoS.
• The DoS flaw was uncovered using QL, Semmle’s platform for analyzing zero-day flaws and its variants.
• Attackers could simply rely on this flaw to launch large-scale attacks on Fizz based web services. However, it did not permit any loss of data.
• The vulnerability was reported in February this year. It was fixed as soon as it was discovered.
• As stated by Facebook, Fizz is deployed in mobile apps, load balancers, internal services, and QUIC library.

What is the issue - Kevin Backhouse, who identified and studied the flaw in detail, says that the integer overflows in Fizz are the root cause for the vulnerability.

“Fizz is written in a modern C++ style, so it’s unlikely to have something like a buffer overflow, which is so common in older C projects. That’s why I used QL to query for integer overflows instead. The overflow I found causes the code to enter an infinite loop, which could be used to launch a denial of service attack." said the Semmle security researcher.

What actions were taken - Once Backhouse informed Facebook of the flaw, the social media company fixed the overflow issue in a patch for new versions (2019.02.25.00 and later).