HTTP/2 Rapid Reset Attack Vulnerability
Indusface, Tuesday, October 17,2023
Google, Amazon Web Services & others recently disclosed a vulnerability in HTTP/2 protocol, which is being tracked as 'CVE-2023-44487'. The flaw lies in how the HTTP/2 protocol was implemented to increase the efficiency of transmitting various messages between endpoints by 'Stream multiplexing'.
What is HTTP/2 Rapid Rest Attack Vulnerability (CVE-2023-44487)?
HTTP/2 protocol provides a mechanism for clients to request the cancellation of a previously initiated stream by transmitting an RST_STREAM frame to the server. This cancellation process assumes that the cancellation occurs immediately on the server side once RST_STREAM frames are received. However, the client can send a reset stream immediately after sending the request frame, which is received by the server, processed, and rapidly resets. The requests are canceled, but the connection remains open.
As the cancellation is immediate and not dependent on the server side, the client can initiate many such streams simultaneously, followed by streams containing HTTP/2 headers and/or data frames within the limit of concurrent allowed streams negotiated between the client and server. In a default HTTP/2 implementation, the server still needs to process the canceled requests, eventually causing resource exhaustion on the server.