[CDP-development] TLP:GREEN UPDATED (DoS Vulnerability Alert Notification) CVE-2023-44487 - HTTP/2 Rapid Reset Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Thu Oct 26 10:30:44 PDT 2023 

Good morning,

The previous alert has been updated. Updated information has been added in red

The SOC Services team is reporting on the vulnerability: CVE-2023-44487 HTTP/2 Rapid Reset Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On October 10, 2023, CISA added CVE-2023-44487 to the known exploited vulnerabilities catalog. CVE-2023-44487 is a denial-of-service (DoS) known as Rapid Reset that impacts the HTTP/2 protocol, which was exploited in the largest mitigated DDOS attacks.

Stats from mitigated attacks:

  *   Google Cloud: above 398 million rps
  *   Cloudflare: 201 million rps
  *   Amazon: 155 million rps

CISA recommends organizations that provide HTTP/2 services apply patches when available and consider configuration changes and other mitigations discussed in the references below. For more information on Rapid Reset, see:

  *   Cloudflare: HTTP/2 Rapid Reset: deconstructing the record-breaking attack<https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/>
  *   Google: How it works: The novel HTTP/2 'Rapid Reset' DDoS attack<https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack>
  *   AWS: CVE-2023-44487 - HTTP/2 Rapid Reset Attack<https://aws.amazon.com/security/security-bulletins/AWS-2023-011/>
  *   NGINX: HTTP/2 Rapid Reset Attack Impacting NGINX Products<https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/>

Organizations can take proactive steps to reduce the effects of DoS attacks. See the following guidance for more information:

  *   CISA: Understanding and Responding to Distributed Denial-of-Service Attacks<https://www.cisa.gov/sites/default/files/publications/understanding-and-responding-to-ddos-attacks_508c.pdf>
  *   CISA: Additional DDoS Guidance for Federal Agencies<https://www.cisa.gov/sites/default/files/publications/ceg-additional-ddos-guidance-for-federal-agencies_508c.pdf>

Intelligence: CVE-2023-44487 has been confirmed as being exploited in the wild between August 2023 to October 2023. As of October 26, 2023 Cloudflare is seeing a surge of Rapid Reset DDOS attacks.

Cloudflare has provided detailed information regarding the HTTP/2 Rapid Reset attacks which can be found here: https://blog.cloudflare.com/ddos-threat-report-2023-q3/

Workarounds: Workarounds are vendor specific.

How it works: The CVE-2023-44487 HTTP/2 vulnerability allows malicious actors to launch a DDoS attack targeting HTTP/2 servers. The attack sends a set number of HTTP requests using HEADERS followed by RST_STREAM and repeating this pattern to generate a high volume of traffic on the targeted HTTP/2 servers. By packing multiple HEADERS and RST_STREAM frames in a single connection, attackers can cause a significant increase in the request per second and high CPU utilization on the servers that eventually can cause resource exhaustion.

Post-Exploit: Upon successful exploitation of the vulnerability, a threat actor could execute denial-of-service attacks.

As of October 26, 2023, there are a total of 172 plugins for Rapid Reset that have been provided by Tenable. Three of the plugins are for Tenable WAS and the rest for Nessus Security Center.
A link to all available plugins can be found here: https://www.tenable.com/plugins/search?q=%22cve-2023-44487%22%20AND%20cves%3A(%22CVE-2023-44487%22)&sort=&page=1
The updated plugins scan for the following systems. Please note that other services also have plugins.

  *   Red Hat
  *   Amazon
  *   Alma Linux
  *   F5 Networks
  *   Rocky Linux
  *   Oracle Linux
  *   Ubuntu Linux
  *   Windows
  *   Fedora Linux
  *   SuSE Linux
  *   CentOS Linux
  *   Debian Linux
  *   Apache Tomcat
As an alternative to using plugins for the search as there is a very large amount of available plugins, Nessus Security Center has the ability to search by CVE. To do this follow the instructions below:

  *   Click Analysis
  *   Select Vulnerabilities
  *   On the left hand side of the screen click the filter icon which looks like ">".
  *   Click + Customize
  *   Scroll down and select CVE ID
  *   Click CVE ID to expand
  *   Search for CVE-2023-44487
  *   Click apply and your search results will appear
Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DA07EA.88CC8F20]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231026/f68d2411/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231026/f68d2411/attachment-0001.png>

More information about the CDP-development mailing list