nghttp2 < 1.57.0 HTTP/2 Protocol DoS Vulnerability

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:nghttp2:nghttp2";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.170601");
  script_version("2023-10-17T05:05:34+0000");
  script_tag(name:"last_modification", value:"2023-10-17 05:05:34 +0000 (Tue, 17 Oct 2023)");
  script_tag(name:"creation_date", value:"2023-10-12 14:32:29 +0000 (Thu, 12 Oct 2023)");
  script_tag(name:"cvss_base", value:"7.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-10-14 01:15:00 +0000 (Sat, 14 Oct 2023)");

  script_cve_id("CVE-2023-44487");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("nghttp2 < 1.57.0 HTTP/2 Protocol DoS Vulnerability");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("Denial of Service");
  script_dependencies("gb_nghttp2_detect.nasl");
  script_mandatory_keys("nghttp2/detected");

  script_tag(name:"summary", value:"nghttpd2 is prone to a denial of service (DoS) vulnerability in
  the HTTP/2 protocol.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"The HTTP/2 protocol allows a denial of service (server resource
  consumption) because request cancellation can reset many streams quickly, as exploited in the wild
  in August through October 2023.

  The flaw is also known as HTTP/2 Rapid Reset Attack.");

  script_tag(name:"impact", value:"This vulnerability allows a remote, unauthenticated attacker to
  cause an increase in CPU usage that can lead to a denial-of-service (DoS).");

  script_tag(name:"affected", value:"nghttpd2 versions prior to 1.57.0.");

  script_tag(name:"solution", value:"Update to version 1.57.0 or later.");

  script_xref(name:"URL", value:"https://github.com/nghttp2/nghttp2/pull/1961");
  script_xref(name:"URL", value:"https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0");
  script_xref(name:"URL", value:"https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg");
  script_xref(name:"URL", value:"https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack");
  script_xref(name:"URL", value:"https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/");
  script_xref(name:"URL", value:"https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/");
  script_xref(name:"URL", value:"https://www.openwall.com/lists/oss-security/2023/10/10/6");
  script_xref(name:"URL", value:"https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487");
  script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
  script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (!port = get_app_port(cpe: CPE))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_is_less(version: version, test_version: "1.57.0")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "1.57.0", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);