{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/http-downgrade/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Nginx","Apache HTTP Server","Apache Tomcat","Traefik"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","http-downgrade","web-server"],"_cs_type":"advisory","_cs_vendors":["Nginx","Apache","Traefik"],"content_html":"\u003cp\u003eThis rule from Elastic detects potential HTTP downgrade attacks by identifying HTTP traffic that negotiates an older HTTP version than what is typically used in the environment. The rule leverages the \u003ccode\u003enew_terms\u003c/code\u003e rule type to identify unusual HTTP versions, such as HTTP/1.1 when HTTP/2 is expected. An attacker may force a downgrade to exploit vulnerabilities in older protocols, bypass security measures, or conduct request smuggling attacks. This rule is designed to work with web server access logs, specifically Nginx, Apache, Apache Tomcat, and Traefik. The rule is triggered when a new HTTP version is observed relative to the baseline.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target web server supporting HTTP/2.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request that disrupts HTTP/2 negotiation (e.g., by omitting ALPN).\u003c/li\u003e\n\u003cli\u003eThe web server falls back to HTTP/1.1 or HTTP/1.0 due to the failed HTTP/2 negotiation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts HTTP/1.1 requests with techniques like simultaneous Content-Length and Transfer-Encoding headers or mixed-case headers.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts request smuggling or cache poisoning by exploiting differences in how the web server and backend systems parse the downgraded HTTP requests.\u003c/li\u003e\n\u003cli\u003eThe web server returns unexpected responses, such as 4xx or 5xx errors, or exhibits increased latency.\u003c/li\u003e\n\u003cli\u003eThe attacker may gain unauthorized access to resources or compromise other users' sessions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful HTTP downgrade attacks can lead to various security issues. Attackers can exploit vulnerabilities specific to older HTTP versions, bypass security controls designed for newer protocols, or conduct request smuggling and cache poisoning attacks. This can lead to unauthorized access to sensitive information, denial of service, or other malicious activities. While the rule severity is low, successful exploitation after a downgrade can result in high impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;HTTP Downgrade Attack Detected via Version Mismatch\u0026quot; to your SIEM and tune based on your environment to detect potential downgrade attempts (see rule below).\u003c/li\u003e\n\u003cli\u003eCorrelate detected downgrade events with other security logs, such as TLS termination or load balancer logs, to verify ALPN negotiation as described in the rule's note section.\u003c/li\u003e\n\u003cli\u003eReview server configurations to disable cleartext h2c and HTTP/1.0 on public endpoints, enforcing TLS+ALPN \u0026quot;h2\u0026quot; on port 443 as recommended in the rule's note section.\u003c/li\u003e\n\u003cli\u003eImplement WAF rules to drop requests with \u0026quot;Upgrade: h2c\u0026quot;, simultaneous Content-Length and Transfer-Encoding headers, or duplicated/mixed-case headers to mitigate request smuggling attempts as recommended in the rule's note section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T10:00:00Z","date_published":"2024-01-29T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-http-downgrade/","summary":"The new_terms rule detects potential HTTP downgrade attacks by identifying HTTP traffic using a different HTTP version than typically used, potentially exposing systems to vulnerabilities in older protocols.","title":"Potential HTTP Downgrade Attack Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-http-downgrade/"}],"language":"en","title":"CraftedSignal Threat Feed - Http-Downgrade","version":"https://jsonfeed.org/version/1.1"}