TLP Rating: Clear
HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487
Release Date 12th of October 2023
CERT Vanuatu (CERTVU) and the Office of the Chief Information Officer (OGCIO) provide the following advisory of the above vulnerabilities.
On the 10th of October 2023, CERT Vanuatu received an advisory from its collaborating partner, Cybersecurity Infrastructure Security Agency (CISA) for a denial-of-service (DoS) vulnerability in HTTP/2 protocol. The Vulnerability (CVE-2023-44487), known as Rapid Reset, has been exploited in the wild in August 2023 through to October 2023.
What is it?
The HTTP/2 protocol allows a denial of service (Service resource consumption) because request cancellation can reset many streams quickly as it has been exploited in the wild.
HTTP/2 provides an optimized transport for HTTP semantics. HTTP/2 supports all of the core features of HTTP but aims to be more efficient than HTTP/1.1
Organizations that provide HTTP/2 Services include;
- Cloudflare https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- Google https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- AWS https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
- NGINX https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
- Microsoft https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
The HTTP/2 vulnerability allows malicious actors to launch a DDOS attack targeting HTTP/2 Servers. The attack sends a set number of HTTP requests using HEADERS followed by RST_STREAM and repeating this pattern to generate a high volume of traffic on the targeted HTTP/2 servers. By packing multiple HEADERS and RST_STREAM frames in a single connection, attackers can cause a significant increase in the request per second and high CPU utilization on the servers that eventually can cause resource exhaustion.
What should I do to Stay Safe?
- It is recommended that organizations that provide HTTP/2 services to apply patches when available and consider configuration changes.
- Customers and administrators are recommended to patch web servers/proxies as quickly as possible
- Apply security measures on the application layer
- Recommend restricting internet access to your web applications where possible
- Download advisory (English): HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487
- Download advisory (Bislama): HTTP/2 Rapid Reset Vulnerabiliti, CVE-2023-44487
- Download advisory (French): Vulnérabilité de réinitialisation rapide HTTP/2, CVE-2023-44487