Summary
CVE-2023-44487 is a recently disclosed denial-of-service vulnerability that exists in the HTTP/2 protocol. It is known as rapid reset and has been actively exploited in the wild from August 2023 to October 2023. The outbreak of this vulnerability has caused record-breaking DDoS attacks as Cloudflare has reported a measure of 201 million requests per second, nearly tripling their last largest reported attack. These record-breaking attacks are also reported by other vendors such as Google and Amazon Web Services.
These attacks take advantage of this vulnerability as well as the inherent capabilities of HTTP/2 streams. Streams, a feature of HTTP/2 essentially allows a 100-fold increase in the throughput of every http request great for efficiency, bad for DDoS attacks. Leveraging this ability as well as the “RST_STREAM” command within the HTTP request, the rapid reset attack is born. Using this command, the client can terminate and reset the stream, allowing the client to send a new stream of requests one after another.
Impact assessment
The existence of CVE-2023-44487 and the ability for this attack to be possible on an organization’s network could lead to a catastrophic DDoS attack on a web server which will greatly hinder the availability of cloud services and web connections. The potency of this vulnerability in HTTP/2 is unlike any that has been seen before regarding attacks that hinder availability.
What this means for you
This vulnerability allows for an attacker to potentially hinder all access to any public facing servers running HTTP/2 using a denial-of-service attack. Any cloud based or in-house applications which are housed on or routed through a web server running HTTP/2 and have not mitigated or patched this vulnerability are at great risk of disruption.
Remediation
There are patches and workarounds available for this vulnerability.
- Use a vulnerability scanning tool or identify all web servers your organization utilizes to determine the patch. Microsoft has released patches for Windows Server versions as an example. If you use a cloud service reach out and ensure that they have mitigated or patched this vulnerability.
- A temporary workaround is to disable the HTTP/2 Protocol in your web server from the Registry Editor. Utilizing HTTP 1/1.1 temporarily will prevent this vulnerability from being exploitable.
Business Implications
There are several business implications because of this vulnerability. This coincides with all distributed-denial-of-service attacks. First, any publicly available service is susceptible this includes, APIs, web pages, email services, and DNS services. This will cause this service to become completely inoperable. This can cause financial loss, reputation loss, and data loss. Customers not being able to interact with an online store, online service, and information loss due to server overload are potential implications from an attack such as this.
Access Point Technology Recommends
- Update: Identify which web servers are affected by this vulnerability and patch.
- Mitigate: Apply mitigations if an update is unavailable.
- Understand DDoS attacks: Follow CISA recommendations on Understanding and Responding to Distributed Denial of Service Attacks. Having the correct network infrastructure and mitigations in place will prevent large impact on business operations because of denial-of-service attacks.
Associated Bulletins
https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
https://www.cisa.gov/sites/default/files/publications/understanding-and-responding-to-ddos-attacks_508c.pdf
.webp)
.png)
