Sunday, October 6, 2024
HomeCVE/vulnerabilityHTTP/2 Vulnerability Let Hackers Launch DOS Attacks on Web Servers

HTTP/2 Vulnerability Let Hackers Launch DOS Attacks on Web Servers

Published on

Researchers identified a significant vulnerability within the HTTP/2 protocol, potentially allowing hackers to launch Denial of Service (DOS) attacks on web servers.

The vulnerability tracked as CVE-2024-28182 has raised concerns among internet security experts and prompted responses from various technology vendors.

The CERT Coordination Center (CERT/CC) disclosed the vulnerability in a vulnerability note VU#421644.

- Advertisement - EHA

It has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-28182. This security flaw is particularly worrisome because it affects the HTTP/2 protocol, which is widely used for secure communications on the Internet.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

Impact on Vendors and Products

This vulnerability has impacted several technology vendors. Arista Networks, a prominent player in the networking space, has confirmed that some of its products are susceptible to the identified threat.

The company has provided a detailed advisory on the affected products and their impact on its official website.

Fastly, a global cloud platform has also acknowledged the impact of vulnerability on its services.

The company’s statement, dated April 5, 2024, indicates that CVE-2023-45288 is among the affected vulnerabilities. However, Fastly has not yet received a statement from the vendor regarding several other CVEs.

The Go Programming Language is another affected entity, with its net/http and golang.org/x/net/http2 packages being vulnerable due to a lack of a limit on the number of headers for a request.

SUSE, a significant software company known for its Linux distributions, has also reported that its distributions contain affected packages.

The company has committed to shipping updated Go compilers and rebuilt Go packages once available.

The CVE-2024-28182 vulnerability allows attackers to exploit the HTTP/2 protocol by overwhelming a web server with a flood of data, leading to a DOS attack.

This attack can render the server unresponsive to legitimate traffic, effectively taking it offline and disrupting services.

Free Webinarfor DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors - Register Here.

Responses and Mitigations

Since the vulnerability was discovered, affected vendors have been working on patches and updates to mitigate the risk.

Arista Networks has already provided information on the affected products and their steps to address the issue. Similarly, SUSE has announced plans to release updated compilers and packages to protect against the vulnerability.

The Importance of Timely Updates

The identification of CVE-2024-28182 underscores the importance of timely security updates and the need to monitor cybersecurity threats continuously.

Organizations using affected products are advised to follow the vendor’s guidance and apply necessary patches or updates as soon as possible to protect against potential attacks.

The discovery of the CVE-2024-28182 vulnerability in the HTTP/2 protocol reminds us of the ever-present risks in the digital landscape.

As cyber threats evolve, the collaboration between vendors, security researchers, and the broader cybersecurity community becomes increasingly crucial in identifying and mitigating such vulnerabilities.

Users and administrators are urged to stay vigilant and ensure their systems are up-to-date with the latest security measures.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...