CVE-2023-44487 - HTTP/2 Rapid Reset Attack

CVE-2023-44487 - HTTP/2 Rapid Reset Attack

17074
Created On 10/11/23 19:12 PM - Last Modified 10/07/24 16:10 PM


Question


What is CVE-2023-44487 - HTTP/2 Rapid Reset Attack?

Answer


Between August and October 2023, a security vulnerability in the HTTP/2 protocol called the Rapid Reset Attack emerged. This attack takes advantage of a specific feature in the protocol, allowing an endpoint to promptly reset a request by sending an RST_STREAM frame immediately after a request frame.
 

How is HTTP/1.1 different from HTTP/2?

HTTP/2 offers significant enhancements in speed and efficiency compared to HTTP/1.1.  A key aspect of its improved performance is the implementation of content prioritization during the loading process.  In this case, prioritization refers to the sequence in which various elements are retrieved and rendered.
  • In HTTP/1.1, requests are processed one after another. The server reads a request, processes it, writes a response, and only then moves on to the subsequent request.
  • In HTTP/2, the client can open multiple concurrent streams on a single TCP connection. Each stream corresponds to an HTTP request. In theory, the server can control the maximum number of concurrent open streams, but in practice, clients may open multiple streams per request, and the server processes these requests in parallel.


How does the attack work?

The Rapid Reset Attack exploits this ability. The attacker initiates the attack by opening a large number of streams simultaneously, much like a typical HTTP/2 attack. However, instead of waiting for a response from the server or proxy for each request, the attacker quickly cancels each request immediately after sending it.

This attack's key advantage lies in the ability to reset streams instantly. This allows an indefinite number of requests to be in flight simultaneously on each connection. By explicitly canceling the requests, the attacker always reaches the number of concurrent open streams limit. Consequently, the number of in-flight requests is no longer determined by the round-trip time (RTT), but solely by the available network bandwidth.
Screenshot 2023-10-11 at 14.56.47.jpg
Source: Google
 
Due to the HTTP/2 Rapid Reset Attack, denial of service (server resource consumption) can occur. The attack methodology permits the cancellation of numerous streams in rapid succession, leading to resource depletion on the server side. Notably, the HTTP/2 connection remains open despite the cancellation of requests.

Web service providers and developers must know this vulnerability and take necessary countermeasures to safeguard their systems against potential attacks.
 

Microsoft’s Recommendations

You should always install updates once available, but the following workaround can also be used.

Disable the HTTP/2 protocol on your web server by using the Registry Editor.
Note: Making incorrect changes in the Registry Editor can lead to severe issues that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the improper use of Registry Editor can be resolved. Use the Registry Editor at your own risk. For guidance on how to modify the registry, refer to the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
  1. Click Start, click Run, type Regedit in the Open box, and then click OK.
  2. Locate and then click the following registry subkey: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  3. Set DWORD type values EnableHttp2Tls and EnableHttp2Cleartext to one of the following:
    • Set to 0 to disable HTTP/2
    • Set to 1 to enable HTTP/2
  4. Exit Registry Editor.
  5. Restart the computer.
Include protocols setting for each Kestrel endpoint to limit your application to HTTP1.1
For .NET and Kestrel, servers without HTTP/2 enabled are not affected. To limit your application to HTTP1.1 via config, edit your appsettings.json to include a protocol setting for each endpoint: 
"Kestrel": {
   "Endpoints": {
     "http": {
       // your existing config
       "Protocols": "Http1"
     },
     "https": {
        // your existing config
       "Protocols": "Http1"
     }
   }
}

Coverage Information

Palo Alto Networks released UTID: 40152 and 94441 and an update for the http2 decoder on 16 October 2023. Search for these Threat IDs in ThreatValut (https://threatvault.paloaltonetworks.com/) for more information regarding the signatures.

Find below the link to our product advisory for more information regarding the impact on Palo Alto Networks Products:

https://security.paloaltonetworks.com/CVE-2023-44487

Additional Information


Links to supporting documentation, caveats, or other helpful background information that’s not strictly a symptom, environment, cause, or resolution.

  • https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
  • https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
  • https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
  • https://security.paloaltonetworks.com/CVE-2023-44487
  • https://nvd.nist.gov/vuln/detail/CVE-2023-44487
  • https://access.redhat.com/security/cve/CVE-2023-44487
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XgrLCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language