[CDP-development] TLP:GREEN (DoS Vulnerability Alert Notification) CVE-2023-44487 - HTTP/2 Rapid Reset Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Tue Oct 10 15:53:31 PDT 2023 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2023-44487 HTTP/2 Rapid Reset Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On October 10, 2023, CISA added CVE-2023-44487 to the known exploited vulnerabilities catalog. CVE-2023-44487 is a denial-of-service (DoS) known as Rapid Reset that impacts the HTTP/2 protocol, which was exploited in the largest mitigated DDOS attacks.

Stats from mitigated attacks:

  *   Google Cloud: above 398 million rps
  *   Cloudflare: 201 million rps
  *   Amazon: 155 million rps

CISA recommends organizations that provide HTTP/2 services apply patches when available and consider configuration changes and other mitigations discussed in the references below. For more information on Rapid Reset, see:

  *   Cloudflare: HTTP/2 Rapid Reset: deconstructing the record-breaking attack<https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/>
  *   Google: How it works: The novel HTTP/2 'Rapid Reset' DDoS attack<https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack>
  *   AWS: CVE-2023-44487 - HTTP/2 Rapid Reset Attack<https://aws.amazon.com/security/security-bulletins/AWS-2023-011/>
  *   NGINX: HTTP/2 Rapid Reset Attack Impacting NGINX Products<https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/>

Organizations can take proactive steps to reduce the effects of DoS attacks. See the following guidance for more information:

  *   CISA: Understanding and Responding to Distributed Denial-of-Service Attacks<https://www.cisa.gov/sites/default/files/publications/understanding-and-responding-to-ddos-attacks_508c.pdf>
  *   CISA: Additional DDoS Guidance for Federal Agencies<https://www.cisa.gov/sites/default/files/publications/ceg-additional-ddos-guidance-for-federal-agencies_508c.pdf>

Intelligence: CVE-2023-44487 has been confirmed as being exploited in the wild between August 2023 to October 2023.

Workarounds: Workarounds are vendor specific.

How it works: The CVE-2023-44487 HTTP/2 vulnerability allows malicious actors to launch a DDoS attack targeting HTTP/2 servers. The attack sends a set number of HTTP requests using HEADERS followed by RST_STREAM and repeating this pattern to generate a high volume of traffic on the targeted HTTP/2 servers. By packing multiple HEADERS and RST_STREAM frames in a single connection, attackers can cause a significant increase in the request per second and high CPU utilization on the servers that eventually can cause resource exhaustion.

Post-Exploit: Upon successful exploitation of the vulnerability, a threat actor could execute denial-of-service attacks.

As of October 10, 2023, the following vulnerability plugins are currently in Tenable Security Center:
Plugin
Title
Severity
182812<https://www.tenable.com/plugins/nessus/182812>
Apache Tomcat 11.0.0.M1 < 11.0.0.M12 multiple vulnerabilities
High
182811<https://www.tenable.com/plugins/nessus/182811>
Apache Tomcat 8.5.0 < 8.5.94 multiple vulnerabilities
High
182809<https://www.tenable.com/plugins/nessus/182809>
Apache Tomcat 9.0.0.M1 < 9.0.81 multiple vulnerabilities
High
182818<https://www.tenable.com/plugins/nessus/182818>
Apache Tomcat 10.1.0.M1 < 10.1.14 multiple vulnerabilities
Medium

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231010/0832ebae/attachment-0001.html>

More information about the CDP-development mailing list