External risk intelligence

Web servers using HTTP/2 can be overwhelmed and shut down by attackers

CVE advisoryKnown Exploit

CVE-2023-44487

A critical flaw in the HTTP/2 protocol allows for massive denial-of-service attacks that can shut down web servers. This vulnerability is actively being exploited and poses a significant risk to internet-facing services.

5Halo Surface Signal

Denial of Service

Siemens Simatic S7 1500 Cpu 1518f 4 Pn\/dp Mfp Firmware

3.1.5 and laterbefore 1.01.0before 3.0before 1.12.0before 1.57.0before 4.1.1001.24.101.25.91.26.41.27.0before 9.4.5310.0.0 to before 10.0.1711.0.0 to before 11.0.1712....

External exposure likelihood

Halo Surface Signal score for CVE-2023-44487

The vulnerability affects HTTP/2 protocol implementations within web servers, load balancers, and reverse proxies. These technologies are foundational components of internet-facing infrastructure, designed specifically to expose services to the public internet and handle external web traffic. As edge services that function as public gateways, they are inherently and constantly exposed to internet…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the HTTP/2 protocol can be used to overwhelm servers with requests, leading to denial-of-service attacks. This issue is significant because it can disrupt service availability for a wide range of internet-facing applications and infrastructure.

  • Can cause widespread service outages.
  • Affects systems processing web traffic.
  • Exploited in the wild recently.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a large number of stream reset frames to a vulnerable HTTP/2 server. This exhausts server resources, leading to a denial of service. This attack requires no authentication or user interaction and can be launched remotely.

  • Targets web servers and proxies.
  • Exploits HTTP/2 stream reset mechanism.
  • Causes server resource exhaustion.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for large-scale denial-of-service attacks by overwhelming servers with rapid request cancellations. Observed exploitation in August-October 2023 indicates immediate threat potential. Given the widespread use of HTTP/2 across web infrastructure, attackers are likely to continue leveraging this for disruptive attacks.

  • Exploited in the wild.
  • Public exploit and KEV listing exist.
  • Recent exploitation signals ongoing threat.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and blocking the massive DDoS traffic associated with this vulnerability. Focus on systems that use HTTP/2, especially internet-facing web servers, load balancers, and reverse proxies. Implement rapid response for affected services, as this has been actively exploited.

  • Block malicious HTTP/2 traffic.
  • Update affected HTTP/2 implementations.
  • Monitor for resource exhaustion.

Frequently asked questions

What is the HTTP/2 protocol and how is it used?

HTTP/2 is a major revision of the Hypertext Transfer Protocol used for fetching resources, such as HTML documents, on the World Wide Web. It's designed to be more efficient than its predecessor, HTTP/1.1, by allowing for features like request multiplexing, server push, and header compression. Many modern web servers and applications use HTTP/2 to improve website performance and user experience.

How does CVE-2023-44487 exploit the HTTP/2 protocol?

CVE-2023-44487 is a weakness in the HTTP/2 protocol, specifically a type of flaw known as CWE-400, which relates to uncontrolled resource consumption. Attackers can exploit this by rapidly sending cancellation requests, causing servers to consume excessive resources trying to process them, leading to a denial of service.

What are the conditions needed to trigger the CVE-2023-44487 vulnerability?

An attacker can trigger this vulnerability by sending a specific sequence of HTTP/2 requests that exploit the protocol's stream reset mechanism. The vulnerability is triggered by the rapid cancellation of many streams. It is not triggered by standard, non-malicious use of the HTTP/2 protocol.

Why should I care about CVE-2023-44487 if my systems face the internet?

This vulnerability is classified as externally facing by Halo Surface Signal because it affects core internet infrastructure components like web servers and load balancers. If your technology handles external web traffic, it is very likely exposed to this threat, making it a critical concern for maintaining service availability.

What are the first steps to address the CVE-2023-44487 threat?

The immediate next step is to consult the documentation for the specific web server or network devices you are using. Look for any advisories or updates related to HTTP/2 and CVE-2023-44487. Applying vendor-provided mitigations or patches is the recommended approach to protect your systems.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified