CVE-2023-44487: Denial of Service vulnerability in google.golang.org/grpc

What is CVE-2023-44487 About?

In gRPC-Go, an attacker can trigger a Denial of Service by sending and canceling specific HTTP/2 requests. This can lead to the server launching excessive concurrent method handlers, consuming resources and impacting availability. The exploit leverages HTTP/2 protocol behavior to bypass stream limits.

Affected Software

google.golang.org/grpc
- <1.56.3
- >1.57.0, <1.57.1
- >1.58.0, <1.58.3

Technical Details

The vulnerability in affected releases of gRPC-Go stems from how it handles HTTP/2 requests, specifically when requests are sent and then immediately canceled. The HTTP/2 protocol allows for this behavior. However, gRPC-Go fails to properly account for this sequence in relation to its configured maximum stream limit. An attacker can rapidly send multiple requests, cancel them, and then send subsequent requests. This sequence validly by HTTP/2 standards, but incorrectly causes the gRPC-Go server to initiate more concurrent method handlers than its intended and configured maximum stream limit, thus leading to resource exhaustion and a Denial of Service.

What is the Impact of CVE-2023-44487?

Successful exploitation may allow attackers to exhaust server resources, degrade performance, and completely disrupt the availability of the gRPC-Go service, leading to a denial of service for legitimate users.

What is the Exploitability of CVE-2023-44487?

Exploitation is of low complexity and requires no authentication, making it particularly dangerous. An attacker only needs network access to the gRPC-Go server. No specific privileges are required on the target system. This is a remote vulnerability, as the attack is performed by sending specially crafted HTTP/2 requests over the network. The main prerequisites are that the gRPC-Go server is publicly accessible and does not have sufficient `grpc.MaxConcurrentStreams` configuration. The ease of exploitation and the lack of authentication or special conditions significantly increase the likelihood of exploitation. The attack specifically leverages valid HTTP/2 protocol behavior, making it difficult to filter without affecting legitimate traffic.

What are the Known Public Exploits?

PoC Author	Link	Commentary
bcdannyboy	Link	Basic vulnerability scanning to see if web servers may be vulnerable to CVE-2023-44487
secengjeff	Link	Tool for testing mitigations and exposure to Rapid Reset DDoS (CVE-2023-44487)
imabee101	Link	Proof of concept for DoS exploit

What are the Available Fixes for CVE-2023-44487?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

This patch enhances HTTP/2 connection overhead protection by adding a specific counter increment (overheadResetFactor) for each RST (reset) frame received and enforcing an early exit from frame parsing if the overhead limit is exceeded. This mitigates the risk exploited by CVE-2023-44487, which leveraged excessive reset frames to overwhelm servers (the "Rapid Reset" attack), by limiting such abuse and thereby preventing denial-of-service conditions.

Available Upgrade Options

google.golang.org/grpc
- <1.56.3 → Upgrade to 1.56.3
google.golang.org/grpc
- >1.57.0, <1.57.1 → Upgrade to 1.57.1
google.golang.org/grpc
- >1.58.0, <1.58.3 → Upgrade to 1.58.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-44487?

Similar Vulnerabilities: CVE-2023-44487 , CVE-2021-22946 , CVE-2022-29241 , CVE-2023-29437 , CVE-2023-45803

CVE-2023-44487 Denial of Service vulnerability in google.golang.org/grpc