Palo Alto Networks Security Advisories / CVE-2023-44487

CVE-2023-44487 Impact of Rapid Reset and HTTP/2 DoS Vulnerabilities (CVE-2023-44487, CVE-2023-35945)


Informational

Description

The Palo Alto Networks Product Security Assurance team is evaluating the recently disclosed denial-of-service (DoS) vulnerabilities in the HTTP/2 protocol including Rapid Reset (CVE-2023-44487) and CVE-2023-35945.

If HTTP/2 inspection is enabled in PAN-OS, an ongoing distributed denial-of-service (DDoS) attack in inspected traffic will contribute towards the session capacity limit of the firewall. This can result in the intermittent availability of new firewall sessions and is consistent in impact with other volumetric DDoS attacks. Availability of new firewall sessions will recover naturally once the DDoS attack stops. Customers who have enabled Threat prevention ID 40152 (Applications and Threats content update 8765) blocks this attack from happening in inspected HTTP/2 traffic.

PAN-OS firewalls that do not perform HTTP/2 inspection are not impacted in any way.

PAN-OS firewalls that do not perform decryption are not impacted by the DDoS attack in encrypted network traffic.

PAN-OS firewall web interface, Captive Portal, GlobalProtect portals, and GlobalProtect gateways are not impacted by these vulnerabilities.

While Prisma Cloud Compute includes vulnerable versions of nghttp2 and golang packages, Prisma Cloud Compute software does not have any HTTP/2 web server endpoints and is not impacted by these vulnerabilities.

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
Cortex XDR NoneAll
Cortex XDR Agent NoneAll
GlobalProtect App NoneAll
PAN-OS NoneAll
Prisma Access NoneAll
Prisma Cloud NoneAll
Prisma Cloud Compute NoneAll

Required Configuration for Exposure

This issue is applicable only to PAN-OS firewalls with HTTP/2 traffic inspection enabled that are experiencing an ongoing DDoS attack in their inspected network traffic.

Customers who have enabled Threat prevention ID 40152 (Applications and Threats content update 8765) can block this DDoS attack.

PAN-OS firewalls that do not perform HTTP/2 inspection are not impacted in any way.

PAN-OS firewalls that do not perform decryption are not impacted by the DDoS attack in encrypted network traffic.

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation or customer reports of this issue in any of our products. However, this issue has been exploited in the wild since August 2023.

Weakness Type

CWE-400 Uncontrolled Resource Consumption

Solution

No software updates are required at this time.

Third party dependencies nghttp2 and golang packages in Prisma Cloud Compute SaaS are upgraded out of abundance of caution in v31.02.137. No updates to Compute console or the deployed Defenders are required.

Workarounds and Mitigations

Customers with a Threat Prevention subscription block attacks for CVE-2023-44487 in their network traffic by enabling Threat ID 40152 (Applications and Threats content update 8765).

Timeline

Updated status of Prisma Cloud Compute
Updated availability of Threat Signature for CVE-2023-44487 and added product status
Initial Publication
© 2024 Palo Alto Networks, Inc. All rights reserved.