← voltar
CVE-2023-44487

CVE-2023-44487

CVSS 7.5 HIGHEPSS 100.0%● KEVCWE-400
Em resumo

HTTP/2 permite que atacantes derrubem ou desabilitem servidores web enviando muitos pedidos de cancelamento que consomem recursos do servidor. Esta vulnerabilidade foi explorada ativamente contra sites reais em 2023.

Detalhe técnico

O cancelamento de fluxos HTTP/2 (frames RST_STREAM) pode ser abusado para resetar rapidamente múltiplos fluxos, causando consumo excessivo de CPU e memória nos servidores. O ataque requer acesso à rede para enviar frames HTTP/2 crafted e resulta em negação de serviço; servidores afetados experimentaram esgotamento de recursos sem exigir autenticação.

Resumo gerado e traduzido por IA a partir da descrição oficial.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Produtos afetados
n/a · n/a
PoCs públicas encontradas25
githubgithub.com/bcdannyboy/CVE-2023-44487245githubgithub.com/secengjeff/rapidresetclient75githubgithub.com/Appsynergy-io/CVE-2023-4448756githubgithub.com/studiogangster/CVE-2023-4448721githubgithub.com/nxenon/cve-2023-4448714githubgithub.com/threatlabindonesia/CVE-2023-44487-HTTP-2-Rapid-Reset-Exploit-PoC8githubgithub.com/ndrscodes/http2-rst-stream-attacker6githubgithub.com/ReToCode/golang-CVE-2023-444872githubgithub.com/moften/CVE-2023-44487-HTTP-2-Rapid-Reset-Attack2githubgithub.com/tpirate/cve-2023-44487-POC2githubgithub.com/zanks08/cve-2023-44487-demo1githubgithub.com/aulauniversal/CVE-2023-444871githubgithub.com/ByteHackr/CVE-2023-444870githubgithub.com/BMG-Black-Magic/CVE-2023-444870githubgithub.com/madhantr0/http2-security-lab0githubgithub.com/madhusudhan-in/CVE_2023_44487-Rapid_Reset0githubgithub.com/sigridou/CVE-2023-44487-0githubgithub.com/sn130hk/CVE-2023-444870githubgithub.com/TYuan0816/cve-2023-444870githubgithub.com/ReGeLePuMa/HTTP-2-Rapid-Reset-DDos0githubgithub.com/sastraadiwiguna-purpleeliteteaming/DDoS-Purple-Teaming-Offensive-Multi-Vector-7-Tier-Defensive-Holistic-Blueprint-0githubgithub.com/TLevente20/HTTP-2-RapidReset-CVE-2023-44487-Testlab0githubgithub.com/Hirokiii/CVE-2023-444870githubgithub.com/pabloec20/rapidreset0exploitdbwww.exploit-db.com/exploits/52426não verificado
⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://access.redhat.com/security/cve/cve-2023-44487https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/https://aws.amazon.com/security/security-bulletins/AWS-2023-011/https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attackhttps://blog.vespa.ai/cve-2023-44487/https://bugzilla.proxmox.com/show_bug.cgi?id=4988https://bugzilla.redhat.com/show_bug.cgi?id=2242803https://bugzilla.suse.com/show_bug.cgi?id=1216123https://cert-portal.siemens.com/productcert/html/ssa-082556.html