DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2023-44482: HTTP/2 Rapid Reset: The DDoS Bug That Broke the Internet

#security #cve #cybersecurity

HTTP/2 Rapid Reset: The DDoS Bug That Broke the Internet

Vulnerability ID: CVE-2023-44482
CVSS Score: 7.5
Published: 2023-12-21

CVE-2023-44482, dubbed 'HTTP/2 Rapid Reset,' is a critical denial-of-service vulnerability affecting the HTTP/2 protocol itself. By exploiting the stream cancellation feature, an attacker can overwhelm virtually any web server with minimal effort. This is not a simple bug in a single application but a fundamental weakness in the web's modern infrastructure, allowing a low-bandwidth attacker to trigger massive, resource-draining DDoS attacks. The flaw lies in the asymmetrical cost of handling stream resets, where a cheap client request forces expensive server-side cleanup, leading to CPU exhaustion and complete service unavailability.

TL;DR

A critical vulnerability in the HTTP/2 protocol allows attackers to cause a massive denial-of-service attack. By rapidly opening and then immediately canceling many data streams, an attacker can force a server to expend huge amounts of CPU, knocking it offline. This 'Rapid Reset' attack is cheap to perform and affects nearly every web server running HTTP/2. Patching and rate-limiting are essential for mitigation.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-400
  • CWE Name: Uncontrolled Resource Consumption
  • Attack Vector: Network
  • CVSS v3.1: 7.5 (High)
  • Impact: Denial of Service
  • Exploit Status: Active Exploitation
  • CISA KEV: Yes, listed
  • EPSS Percentile: 96.53% (as of late 2023)

Affected Systems

  • All major HTTP/2 server and library implementations
  • nginx
  • Apache HTTP Server
  • Microsoft IIS
  • HAProxy
  • Envoy Proxy
  • Node.js http2 module
  • Go net/http package
  • nghttp2 library
  • nginx: < 1.25.3 (Fixed in: 1.25.3)
  • Go: < 1.20.10 and < 1.21.3 (Fixed in: 1.20.10, 1.21.3)
  • Node.js: < 20.8.0, < 18.18.0 (Fixed in: 20.8.0, 18.18.0)
  • Envoy: < 1.27.1 (Fixed in: 1.27.1)

Code Analysis

Commit: 232230c

net/http: limit the number of stream resets per connection

Commit: f623722

http2: implement flood protection

Mitigation Strategies

  • Apply security patches from all web server, operating system, and library vendors immediately.
  • Place your infrastructure behind a reputable DDoS mitigation service or Content Delivery Network (CDN) that has protections for Layer 7 attacks.
  • Harden web server and load balancer configurations to limit the rate of new connections and streams from a single IP address.
  • Implement robust monitoring to detect unusual spikes in CPU usage or high rates of HTTP/2 stream resets.

Remediation Steps:

  1. Inventory all public-facing web servers and identify which ones are running an HTTP/2 stack.
  2. Consult vendor advisories (Nginx, Apache, Microsoft, Node.js, etc.) for the specific patched versions relevant to your software.
  3. Schedule and apply the security patches as a high-priority action.
  4. If patching is not immediately possible, implement rate-limiting rules on your firewall or load balancer as a temporary workaround.
  5. Monitor server metrics (CPU, memory, open connections) closely after patching to ensure the mitigation is effective and does not negatively impact legitimate traffic.

References

Read the full report for CVE-2023-44482 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)