Alert - Vulnerability impacting HTTP/2 - Rapid Reset

Number: AL23-015
Date: October 11, 2023

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

The Cyber Centre is aware of industry researchFootnote 1Footnote 2Footnote 3 regarding a recent vulnerabilityFootnote 4 impacting HTTP/2, a version of the HTTP protocol most commonly used for webservers. Vulnerability CVE-2023-44487 leverages a flaw in HTTP/2 which results in an overload of a targeted web server with malformed requests, leading to a denial of service. Open source has reported that this vulnerability has been exploited in the wild.Footnote 1

On October 10, 2023, Microsoft published an article on the activity and has published patches for impacted systems.Footnote 5

This Alert is being published to raise awareness of CVE-2023-44487, to highlight the potential impact to organizations and to provide guidance for organizations who may be targeted by related malicious activity.

Suggested action

The Cyber Centre recommends organizations:

  • Immediately patch affected systems when updates addressing this vulnerability become available.
  • Enable web application firewall (WAF) rate limiting rules.Footnote 5
  • Restrict internet access to your web applications based upon known malicious IP addresses or geographic location, where possible.Footnote 5
  • Review and implement preventative actions outlined within the Cyber Centre’s guidance on protecting your organization against denial-of-service attacks.Footnote 6
  • Review the Cybersecurity and Infrastructure Security Agency (CISA) published guidance for US agencies to aid in DDoS considerations including technical mitigation recommendations in responding to DDoS activity.Footnote 7
  • Review industry research for additional recommendations.Footnote 1Footnote 2Footnote 3

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security ActionsFootnote 8 with an emphasis on the following topics:

  • Consolidate, monitor, and defend Internet gateways
  • Isolate web-facing applications

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

Date modified: