RHSB-2023-003 HTTP/2 Rapid Reset (CVE-2023-44487 and CVE-2023-39325)
Updated
Executive summary
Red Hat is aware of a Distributed Denial of Service (DDoS) vulnerability affecting several HTTP/2 server implementations, which are assigned CVE-2023-44487 and CVE-2023-39325, known as “Rapid Reset Attack”.
This issue was rated with a CVSSv3 Score of 7.5 and classified as having an Important security impact.
The US Cybersecurity and Infrastructure Security Agency (CISA) has declared this vulnerability as an active exploit. Additionally, this vulnerability is reported as being actively exploited in the wild since August 2023.
Further, any Red Hat product that is supported on Red Hat Enterprise Linux, including RHEL CoreOS, is also potentially impacted. This includes:
Product containers that are based on the RHEL or UBI container images. These images are updated regularly, including container health that indicates if there is a fix for this flaw, which can be seen in the Container Health Index, part of the Red Hat Container Catalog. In addition, any customer containers should be rebuilt when the base images are updated.
Products that pull packages from the RHEL channel, including layered products such as Red Hat OpenShift Container Platform, Red Hat OpenStack Platform, Red Hat Virtualization, and others. Please ensure that the affected RHEL package is current in these product environments.
Technical summary
The HTTP/2 protocol allows for a series of multiplexed streams to establish the communication between the client and the server, thus improving the throughput of the communication.
CVE-2023-44487 and CVE-2023-39325 consists of the attacker creating a significant number of streams and subsequently canceling each one. This issue leads the server into resource starvation, ultimately preventing it from processing any other valid request.
Mitigation
Users are strongly urged to update their software as soon as fixes are available.
There are several mitigation approaches for this flaw.
If circumstances permit, users may disable http2 endpoints to circumvent the flaw altogether until a fix is available.
IP-based blocking or flood protection and rate control tools may be used at network endpoints to filter incoming traffic.
Several package specific mitigations are also available.
nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p
haproxy: https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
golang: The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.
Technical details
Differently from HTTP/1.1, the HTTP/2 protocol uses a series of data streams to establish communication between the clients and server. This allows the client to send multiple requests within a single connection, which may be further processed in a parallel manner by the server side. Another feature from HTTP/2 is the ability to let the client cancel a previously sent stream by sending a RST_STREAM frame to the server. The client may assume the stream got canceled immediately after the RST_STREAM frame was received by the server.
This vulnerability leverages both of these features by creating a large number of streams within the same connection and subsequently cancels them using the RST_STREAM frame before receiving a reply to the initial request. This induces the server to decompress and interpret all of the sent frames, allocating a large amount of resources, eventually starving the system. By exploiting this behavior, the attacker avoids topping out the maximum limit of connections configured in the server while still imposing a significant performance penalty to the targeted system.
For performance and resource consumption reasons, NGINX limits the number of concurrent streams to a default of 128. See http2_max_concurrent_streams for more information. In addition, to optimally balance network and server performance, NGINX allows the client to persist HTTP connections for up to 1000 requests by default using an HTTP keepalive. See keepalive_requests for more information.
Updates for affected products
The list of affected products can be consulted at the following CVE pages: CVE-2023-44487 and CVE-2023-39325.
Red Hat customers running affected versions of these Red Hat products are strongly recommended to update as soon as erratas are available.
Diagnose
In order to find out the HTTP version in a given server, curl can report the actual HTTP protocol version of a given server. Use the script below. For example, testing for https://redhat.com
$ curl -sl https://redhat.com -o/dev/null -w '%{http_version}\n'
1.1
If you need to test for a hypothetical server 172.16.8.3 using HTTPS, port 20346:
$ curl -sl https://172.16.8.3:20346 -o/dev/null -w '%{http_version}\n'
2
Systems that return 1.1 or 1 are not vulnerable to this CVE. Systems that return version 2 might be affected by this vulnerability.
References
https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
https://www.openwall.com/lists/oss-security/2023/10/10/6
How to use GPG to verify signed content from Product Security
Comments