Security Vulnerability: CVE-2023-44487: HTTP/2 ‘Rapid Reset’ attack
This document (000021240) is provided subject to the disclaimer at the end of this document.
As it turned out, the problem that was exploited was not an implementation bug, but an issue inside the internal design of the HTTP/2 protocol itself. The principle of the 'Rapid Reset' attack is quite simple.
Several upstream projects updated their code to implement or extent the mitigation mechanisms that prevent or lower the impact of those attacks. This is usually done by setting a reset rate limit.
Mitigations already in place:
Currently we are updating and monitoring the following implementations:
For a status on the release of updated packages please consult the SUSE CVE announcement.
The newer HTTP/2 protocol allows multiple bidirectional streams via a single TCP connection. A client can therefore send multiple requests at once, that get then answered by the server. This results in a much higher utilization of each connection.
The 'Rapid Reset' attack now uses the fact that each of those inner streams can be canceled at any point in time via a RST_STREAM frame. This can even be done before any data was transmitted back to the client.
The problem that arises now is the following. The request is processed by the server, and for this purposes, resources are allocated per stream. This resources have to be deleted again a moment later when the RST_STREAM frame arrived.
This has nearly no cost on the attacker side, but can, depending on the server implementation, have significant resource utilization on the victim.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021240
- Creation Date: 18-Oct-2023
- Modified Date:18-Oct-2023
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
- SUSE Manager Server
- SUSE Manager Proxy
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com