CVE-2023-44487

CVE-2023-44487 is a vulnerability that has been discovered in the HTTP/2 protocol. This vulnerability, also known as the HTTP/2 Rapid Reset Attack, allows attackers to initiate a denial-of-service (DoS) attack against internet-exposed HTTP/2 endpoints. The vulnerability was first exploited in the wild between August and October 2023.

The HTTP/2 protocol is widely used by web servers to improve website performance and security. The Rapid Reset Attack works by exploiting the way the protocol handles request cancellations, which can quickly reset many streams and consume server resources. This vulnerability can lead to an overload of resources, resulting in a DoS attack.

The impact of CVE-2023-44487 is significant, as it affects any internet-exposed HTTP/2 endpoints. This includes many popular websites and web applications. The vulnerability has prompted immediate action from industry leaders, including Microsoft, which has launched an investigation and is working on a coordinated disclosure and mitigation plan.

Key Takeaways

  • CVE-2023-44487 is a vulnerability in the HTTP/2 protocol that allows attackers to initiate a denial-of-service attack against internet-exposed HTTP/2 endpoints.
  • The vulnerability was first exploited in the wild between August and October 2023.
  • The impact of CVE-2023-44487 is significant, and industry leaders are taking immediate action to investigate and mitigate the risk.

Understanding CVE-2023-44487

CVE-2023-44487 is a vulnerability that affects the HTTP/2 protocol, allowing a denial of service (DoS) attack that consumes server resources. The vulnerability, also known as Rapid Reset, was first exploited in the wild from August 2023 through October 2023.

The HTTP/2 protocol is used to transfer data between web servers and clients, improving website performance and security. However, the Rapid Reset vulnerability can be exploited by attackers to reset many streams quickly, resulting in server resource consumption and a denial of service.

This vulnerability has been a concern for many organizations and vendors since it was first discovered. Researchers and vendors have been working on patches and fixes to mitigate the vulnerability and prevent further exploitation.

Microsoft, one of the leading vendors in the industry, has promptly responded to the vulnerability by releasing patches to address the issue and protect their customers. AWS has also released a security bulletin to make their customers aware of the vulnerability and provide guidance on how to mitigate the risk.

CVE-2023-44487 is a serious vulnerability that affects the HTTP/2 protocol, allowing attackers to exploit server resources and cause a denial of service. Organizations and vendors should take immediate action to address the vulnerability and protect their systems from further exploitation.

Impact of CVE-2023-44487

The impact of the CVE-2023-44487 vulnerability is that it can cause web servers to become unresponsive or crash, leading to downtime and potentially significant financial losses. The vulnerability can also be used as part of a DDoS attack, where multiple attackers use the vulnerability to overload web servers and take them offline.

Several vendors and researchers have disclosed the CVE-2023-44487 vulnerability, including Microsoft, Qualys, Palo Alto Networks, and AWS. These vendors have released advisories and patches to address the vulnerability.

Affected Platforms

The CVE-2023-44487 vulnerability affects any internet-exposed HTTP/2 endpoints. As such, any platform that uses the HTTP/2 protocol is potentially vulnerable.

Cloudflare, a prominent content delivery network, has acknowledged the vulnerability and has advised its customers to apply patches as soon as they become available. Similarly, Google has released a patch for its Chrome browser, which uses the HTTP/2 protocol. Nginx, a popular web server, has also released a patch for the vulnerability.

Microsoft, which uses the HTTP/2 protocol in its IIS web server and .NET framework, has released a security update to address the vulnerability. Amazon Web Services (AWS), which offers HTTP/2 support in its Elastic Load Balancing service, has also released a patch.

Windows, which includes the IIS web server, is also affected by the vulnerability. Microsoft has released a security update for Windows to address the issue.

Mitigation and Patching

Patch Availability

Many vendors have released patches to address the issue. Organizations are recommended to apply the patches when they become available. Microsoft, for instance, has released a patch to mitigate the vulnerability, and AWS has also released a security bulletin regarding the vulnerability.

Mitigation Strategies

In addition to applying patches, organizations can also implement various mitigation strategies to protect themselves from the Rapid Reset vulnerability. Some recommended strategies include:

  • Disabling HTTP/2: Disabling HTTP/2 is another way to mitigate the Rapid Reset vulnerability. However, this can impact the performance of the server, and it may not be a viable option for all organizations.
  • Implementing Rate-Limiting: Organizations can implement rate-limiting to limit the number of requests that a client can make over a specific period. This can help prevent attackers from overloading their servers with HTTP/2 requests.

While these mitigation strategies can help protect organizations from the Rapid Reset vulnerability, they may not be foolproof. It is recommended that organizations apply patches as soon as possible to address the vulnerability.

Role of Federal Agencies

Federal agencies play a critical role in ensuring the security and stability of the country’s digital infrastructure. In response to the HTTP/2 Rapid Reset vulnerability, CVE-2023-44487, the Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance to federal agencies on how to protect their systems from potential attacks.

CISA recommends that federal agencies that provide HTTP/2 services apply patches as soon as they become available and consider configuration changes to mitigate the vulnerability. Additionally, CISA has provided guidance on how to detect and respond to potential DDoS attacks that exploit the vulnerability.

Federal agencies are encouraged to follow CISA’s guidance closely and take appropriate steps to protect their systems. This includes monitoring their networks for suspicious activity and implementing strong security measures to prevent unauthorized access.

Research and Disclosure

In September 2023, industry partners notified Microsoft of a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability, known as CVE-2023-44487, impacts any internet-exposed HTTP/2 endpoints.

The vulnerability was discovered and reported by Google, Cloudflare, and Amazon. They documented the zero-day technique under the vulnerability identifier CVE-2023-44487. The attack magnitudes reported were astonishing, with Amazon mitigating attacks at a rate of 155 million requests per second.

Microsoft was quick to respond to the vulnerability and released a security update to address the issue. This update was made available on October 10, 2023. They also published a blog post on their website detailing their response to the DDoS attacks.

The coordinated disclosure of the vulnerability by the researchers involved ensured that vendors were made aware of the issue and could take appropriate action to address it. The disclosure process allowed for a more efficient and effective response to the vulnerability, reducing the risk of exploitation by attackers.

The prompt response of the researchers and the coordinated disclosure process allowed for a timely and effective response to the vulnerability. This helped to minimize the impact of the vulnerability and reduce the risk of exploitation by attackers.

Future Implications

The discovery of the CVE-2023-44487 vulnerability and its exploitation in DDoS attacks has significant implications for the future of web security. As web server vendors work to patch the vulnerability, attackers may shift their focus to other vulnerabilities or develop new methods of attack.

The use of botnets in DDoS attacks is also a concerning trend, as it allows attackers to amplify the impact of their attacks by using multiple compromised devices. As the number of connected devices continues to grow, the potential for large-scale botnet attacks increases.

Web server vendors will need to remain vigilant in their efforts to identify and patch vulnerabilities, while also educating their users on best practices for securing their servers. This includes regularly updating software and implementing strong access controls.

The discovery of the CVE-2023-44487 vulnerability highlights the ongoing need for strong web security measures and the importance of staying up-to-date with the latest threats and vulnerabilities.

Technical Aspects

HTTP/2 Rapid Reset

HTTP/2 is a protocol for transferring data over the internet, and it is designed to improve website loading speeds and reduce latency. However, it is not immune to attacks. In August 2023, there were reports of unusually large HTTP attacks that were hitting many of Cloudflare’s customers. These attacks were detected and mitigated by their automated DDoS system. However, the attackers started to reach record-breaking sizes, and eventually peaked just above 201 million requests per second.

This attack technique is known as HTTP/2 Rapid Reset, and it exploits a vulnerability in the protocol. The attack sends a large number of RST_STREAM frames to the server, which forces it to close the connection. This causes the server to reset all the streams that are associated with the connection, which in turn causes a lot of traffic to be generated. The attack is particularly effective because it can be launched with a relatively small number of connections.

Stream Multiplexing

HTTP/2 introduces a new feature called stream multiplexing, which allows multiple requests to be sent over a single connection. This means that the server can send multiple responses at the same time, which can significantly improve website loading speeds. Stream multiplexing works by dividing data into small units called frames, which are then sent over the connection.

One of the frames used in stream multiplexing is the RST_STREAM frame, which is used to reset a stream. This frame is used by the server to indicate that it is unable to process a request, or that it has encountered an error. When a client receives an RST_STREAM frame, it must stop sending data on that stream.

Stream multiplexing is a powerful feature, but it also introduces some complexity. In particular, it introduces the concept of concurrent streams, which are streams that are processed at the same time. The number of concurrent streams that can be processed at the same time is limited by the server, and this limit is negotiated during the initial connection setup.

In summary, HTTP/2 introduces a powerful feature called stream multiplexing, which allows multiple requests to be sent over a single connection. However, it also introduces some complexity, particularly in the area of concurrent streams and the RST_STREAM frame.

Frequently Asked Questions

What is the CVE 2023 44487 vulnerability?

CVE 2023 44487 is a vulnerability found in the HTTP/2 protocol that allows a denial of service (DoS) attack. The vulnerability was discovered in August 2023 and was under active attack at that time. The technique leverages the “stream multiplexing” feature of HTTP/2, wherein numerous requests and subsequent immediate cancellations cause substantial server-side workload with minimal client-side attacker cost.

How does CVE 2023 44487 affect Apache?

Apache is one of the web servers that can be affected by CVE 2023 44487. However, the impact of the vulnerability on Apache is relatively low. Apache has a built-in mechanism that limits the number of requests that can be made per connection, which makes it less susceptible to the attack.

What is the impact of CVE 2023 44487 on Nginx?

Nginx is also one of the web servers that can be affected by CVE 2023 44487. The impact of the vulnerability on Nginx is significant. Nginx does not have a built-in mechanism to limit the number of requests that can be made per connection, which makes it more susceptible to the attack.

What is the fix for CVE 2023 44487?

The fix for CVE 2023 44487 involves updating the affected web servers to the latest version. Most web server vendors have released patches to address the vulnerability. Users are advised to update their web servers to the latest version to protect against the vulnerability.

Is F5 affected by CVE 2023 44487?

Yes, F5 is one of the vendors whose products are affected by CVE 2023 44487. F5 has released patches to address the vulnerability. Users are advised to update their F5 products to the latest version to protect against the vulnerability.

What is Tenable’s response to CVE 2023 44487?

Tenable has released a plugin to detect CVE 2023 44487. The plugin is designed to check if the web server is vulnerable to the attack. Users are advised to use the plugin to assess their web servers’ vulnerability to the attack and take appropriate measures to protect against the vulnerability.