Impact of CVE-2023-44487 on Edge SWG (ProxySG, ASG) and Cloud SWG (WSS)
search cancel

Impact of CVE-2023-44487 on Edge SWG (ProxySG, ASG) and Cloud SWG (WSS)

book

Article ID: 274893

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy Advanced Secure Gateway Software - ASG Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

HTTP/2 (H2) vulnerability CVE-2023-44487, “rapid reset” attack permits a novel denial of service scenario where a high volume of coordinated HTTP/2 request cancellations can quickly reset many HTTP/2 streams, exhausting server resources and potentially causing outages.

Resolution

Edge SWG (ProxySG, ASG)

SGOS versions prior to 7.x (i.e. 6.7.x) are not affected as HTTP/2 is not natively supported. Customers running 7.x versions of SGOS are encouraged to upgrade 7.3.15.1 or higher versions. Also SGOS 7.3.13.5 (released October 18, 2023) includes the fix for this vulnerability. 

SGOS version 7.3.15.1 (released July 17, 2023) limits the number of concurrent streams over HTTP/2 client connections (even if the streams are reset), mitigating the rapid reset attack. Edge SWG customers that are running version 7.3.15.1 (or later) benefit from this mitigation.

Additionally SGOS 7.3.13.5 (released October 18, 2023) and 7.3.14.4 (released October 26, 2023) has been released with a fix for this vulnerability.

SGOS version 7.4.1.1 is vulnerable In a forward proxy deployment, the proxy will limit the number of stream requests which would reduce the impact of any compromised hosts.  In a reverse proxy deployment, the proxy would similarly function to protect any HTTP/2 servers that were the target of the attack.

SGOS version 7.4.1.2 (released October 27, 2023)  has been released with a fix for this vulnerability.

 

Workaround

For vulnerable versions, the attack can be prevented by disabling HTTP/2 via policy using CPL:

<proxy>
http2.client.accept(no) http2.server.request(no)

 

Cloud SWG

Cloud SWG (formerly WSS) does provide the same CPL to disable HTTP/2 for UPE managed tenants but currently runs SGOS 7.3.15.1, which limits the concurrent streams.