“HTTP/2 Rapid Reset” Attack- (CVE-2023-44487)

“HTTP/2 Rapid Reset” Attack- (CVE-2023-44487)

Vulnerability Detail –

In late August 2023, several web service providers including Amazon, CloudFlare and Google detected a flaw in the HTTP/2 protocol that can be exploited to carry out DDoS attacks. A significant feature of HTTP/2 is multiplexing requests over a single TCP connection, which manifests in the form of concurrent streams. This zero-day exploit, a weakness in the HTTP/2 protocol to generate enormous, hyper-volumetric Distributed Denial of Service (DDoS) attacks.  The Rapid Reset attack leverages this method to send and cancel requests in quick succession, thereby circumventing the server's concurrent stream maximum and overloading the server without reaching its configured threshold.

This ability to reset streams immediately allows each connection to have an indefinite number of requests in flight, thereby enabling a threat actor to issue a barrage of HTTP/2 requests that can overwhelm a targeted website's capability to respond to new incoming requests, effectively taking it down.

Additional information related to the HTTP/2 Rapid Reset Attack can be located at: https://nvd.nist.gov/vuln/detail/CVE-2023-44487

MicroBilt Response –

Microbilt is vigilant in monitoring activity on its servers and platforms as well as maintaining a regular update and patch cadence on systems and software.  All affected system software has been updated with the latest available recommended patches.  Additionally, firewalls have been updated to include vendor recommended controls to remediate this vulnerability.  

To ensure the vulnerability has been properly mitigated internal and external vulnerability scans have been performed.  We continue to monitor system performance to maintain expected levels of performance and availability. 

Customer / Vendor Response -

MicroBilt has sent out a vendor vulnerability assessment questionnaire to all partners and vendors, responses are being tracked in our vendor management system and we continue to work with vendors and partners to collectively guard and mitigate against this CVE.  

For any internet-facing systems identified with this vulnerability, monitoring of these sites is highly recommended to determine whether those systems have been compromised.  Additionally, vendor recommended patches and fixes should be applied immediately to ensure any further attacks are stopped.