nghttpd2 is prone to a denial of service (DoS) vulnerability in
the HTTP/2 protocol.
# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:nghttp2:nghttp2";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.170601");
script_version("2023-10-17T05:05:34+0000");
script_tag(name:"last_modification", value:"2023-10-17 05:05:34 +0000 (Tue, 17 Oct 2023)");
script_tag(name:"creation_date", value:"2023-10-12 14:32:29 +0000 (Thu, 12 Oct 2023)");
script_tag(name:"cvss_base", value:"7.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2023-10-14 01:15:00 +0000 (Sat, 14 Oct 2023)");
script_cve_id("CVE-2023-44487");
script_tag(name:"qod_type", value:"remote_banner_unreliable");
script_tag(name:"solution_type", value:"VendorFix");
script_name("nghttp2 < 1.57.0 HTTP/2 Protocol DoS Vulnerability");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2023 Greenbone AG");
script_family("Denial of Service");
script_dependencies("gb_nghttp2_detect.nasl");
script_mandatory_keys("nghttp2/detected");
script_tag(name:"summary", value:"nghttpd2 is prone to a denial of service (DoS) vulnerability in
the HTTP/2 protocol.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"The HTTP/2 protocol allows a denial of service (server resource
consumption) because request cancellation can reset many streams quickly, as exploited in the wild
in August through October 2023.
The flaw is also known as HTTP/2 Rapid Reset Attack.");
script_tag(name:"impact", value:"This vulnerability allows a remote, unauthenticated attacker to
cause an increase in CPU usage that can lead to a denial-of-service (DoS).");
script_tag(name:"affected", value:"nghttpd2 versions prior to 1.57.0.");
script_tag(name:"solution", value:"Update to version 1.57.0 or later.");
script_xref(name:"URL", value:"https://github.com/nghttp2/nghttp2/pull/1961");
script_xref(name:"URL", value:"https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0");
script_xref(name:"URL", value:"https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg");
script_xref(name:"URL", value:"https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack");
script_xref(name:"URL", value:"https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/");
script_xref(name:"URL", value:"https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/");
script_xref(name:"URL", value:"https://www.openwall.com/lists/oss-security/2023/10/10/6");
script_xref(name:"URL", value:"https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487");
script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if (!port = get_app_port(cpe: CPE))
exit(0);
if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
exit(0);
version = infos["version"];
location = infos["location"];
if (version_is_less(version: version, test_version: "1.57.0")) {
report = report_fixed_ver(installed_version: version, fixed_version: "1.57.0", install_path: location);
security_message(port: port, data: report);
exit(0);
}
exit(99);
aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/
blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
github.com/nghttp2/nghttp2/pull/1961
github.com/nghttp2/nghttp2/releases/tag/v1.57.0
github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
www.openwall.com/lists/oss-security/2023/10/10/6
Known Exploited Vulnerability (KEV) catalog