NetSPI’s Analysis of HTTP/2 Rapid Reset 

A novel 0-day vulnerability referred to as, “HTTP/2 Rapid Reset,” (CVE-2023-44487) sent the cybersecurity industry into quick action to minimize potential risks. This vulnerability abuses certain features of HTTP/2 protocol and allows for Distributed Denial of Service (DDoS) attacks at an unprecedented scale.  

Explain It to Me Like I’m 5 (ELI5)

If your website or application uses HTTP/2, an attacker could completely restrict access by flooding your network with an overwhelming amount of traffic.  

For additional insights, we connected with our Attack Surface Management (ASM) team to get their take on the CVE and learn more about their quick response to help security leaders with identification and remediation.

Who’s Impacted?

Anyone who uses HTTP/2 services may be impacted. According to Web Technology Surveys, the services are used by 35.6% of all websites. That’s over 400 million websites vulnerable to this CVE.

What Could Happen If Exploited

The industry is seeing large-scale DDoS attacks stemming from exploitation of HTTP/2 Rapid Reset. The goal of a DDoS attack is to overwhelm a particular business, service, or application and keep it from being accessible to legitimate access requests from the intended users/customers.  

This is extremely challenging to manage since the attacks come from compromised machines or ‘bots’ in a very distributed fashion, which makes blocking those requests using simple filtering techniques unrealistic. In other words, significant friction or inability to deliver services. We’re already seeing the exploit in action, with Google reporting that it had mitigated the largest ever DDoS attack to date.

Best Practices for Remediation

First, it is important to understand if and where you are using HTTP/2 to determine if you are affected. Mapping out a full view of the attack surface is often a challenge for teams because of attack surface sprawl and changes that can happen overnight. 

As NetSPI’s Field CISO Nabil Hannan put it, 

“It seems to me like the bigger challenge in this particular scenario is that organizations struggle to have an up-to-date asset inventory. Not only having an up-to-date asset inventory, but truly understanding what software components, what versions of packages, what type of bill of materials they have in those assets.” 

This is where technology like Attack Surface Management is extremely helpful because it provides continuous asset discovery and monitoring. 

The first step to take when addressing HTTP/2 Rapid Reset is to perform internal checks for HTTP/2 and all potentially vulnerable hosts or verify with your web server vendors. Patches and updates for common web servers and programming languages are available to apply now or will be coming soon.  

In the words of NetSPI’s Research Engineer Isaac Clayton,

“Patch early, patch often.”  

NetSPI’s Rapid Response to HTTP/2 Rapid Reset

For NetSPI’s ASM users, our team swiftly added capabilities to the platform to detect HTTP/2 and allow our clients to get a full inventory of all potentially vulnerable hosts.   

Once a zero-day vulnerability was discovered, our Attack Surface Management team responded quickly to create automation for NetSPI’s ASM platform. This automation allowed our clients to establish an accurate inventory of their assets using HTTP/2.0 and focus their efforts on mitigation and remediation.  

Our approach involved a fast response through active collaboration between our teams. We utilized our ASM operations team, a group of security professionals who proactively address vulnerabilities and verify risks for clients, as well as our software engineers and front-end developers.  

We moved incredibly quickly to implement the solution and make it available for NetSPI’s ASM clients. This rapid response demonstrates how beneficial it is to have a full team supporting our clients and the ASM technology that helps them maintain security. One listener on our LinkedIn Live commented, “Wow!!! That’s fast given today’s response climate. From Rapid Reset to Rapid Response!” (Kudos to the ASM operations team for their fast response!) 

Get a deeper look at CVE-2023-44487 – HTTP/2 Rapid Reset by watching our LinkedIn Live with NetSPI’s Field CISO Nabil Hannan and myself, Security Research Engineer Isaac Clayton. Learn more about our ASM solution including how to use it to run the check for HTTP/2 by contacting our team.

Discover how NetSPI ASM solution helps organizations identify, inventory, and reduce risk to both known and unknown assets.