Menu Close

[ Intelligence ] NYSIC CAU Situational Report: (TLP:CLEAR) HTTP/2 Vulnerability CVE-2023-44487 Exploited in the Wild

TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
http://www.us-cert.gov/tlp/

Summary: Researchers and vendors have disclosed a denial-of-service (DoS) vulnerability in HTTP/2 that is currently being exploited in the wild. HTTP/2 is a protocol responsible for how browsers interact with a website and request text and images to be displayed to end-users. HTTP/2 protocol is used in a majority of all web applications and this vulnerability impacts any internet exposed HTTP/2 endpoints. CISA has released an alert recommending that all organizations take proactive measures and immediately patch HTTP/2 instances.

CISA Alert: hxxps://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487

NYSIC CAU Analyst Note:  The vulnerability (CVE-2023-44487), known as Rapid Reset, is at the root of the largest DDoS attack ever reported after Amazon Web Services, Cloudflare, and Good Cloud were targeted between August 28th and 29th, 2023.  The companies coordinated to minimize impact to services with strategies like load balancing, but smaller organizations with fewer resources may not be able to counter the massive Rapid Reset DDoS attacks as successfully without proactive patching and configuration changes. No attribution for the attacks has been given at this time.

Additional Sources:
hxxps://aws.amazon.com/security/security-bulletins/AWS-2023-011/
hxxps://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
hxxps://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
hxxps://www.cve.org/CVERecord?id=CVE-2023-44487

This information has been forwarded by NYSIC to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – DHSES CIRT
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – County Information Contacts
NYSIC CAU Contacts – Critical Infrastructure Partners: All

For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.

TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.