Folks,
Can I have a few +1's on below - or feedback on what we'd like to have changed ?
* Would like to get this out in an hour or so ?
* FIne with the 48 hours commitment of an update ?
Dw.
Title: CVE-2011-3192: Range header DoS vulnerability Apache HTTPD 1.3/2.x
Date: 20110824 1600Z
Product: Apache HTTPD Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions
Description:
------------
A denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by the Apache HTTPD server:
http://seclists.org/fulldisclosure/2011/Aug/175
An attack tool is circulating in the wild. Active use of this tools has been
observed.
The attack can be done remotely and with a modest number of requests can cause
very significant memory and CPU usage on the server.
The default Apache HTTPD installation is vulnerable.
There is currently no patch/new version of Apache HTTPD which fixes this
vulnerability. This advisory will be updated when a long term fix is available.
A full fix is expected in the next 48 hours.
Mitigation:
------------
However there are several immediate options to mitigate this issue until that
time:
1) Use mod_rewrite to limit the number of ranges:
Option 1L
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]
Option 2:
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# optional logging.
CustomLog logs/range.log "%r %{Range}i %{bad-range}e"
2) Limit the size of the request field to a few hundred bytes. Note that while
this
keeps the offending Range header short - it may break other headers; such as
sizeable cookies or security fields.
LimitRequestFieldSize 200
Note that as the attack evolves in the field you are likely to have
to further limit this and/or impose other LimitRequestFields limits.
See:
http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
3) Use mod_headers to dis-allow the use of Range headers:
RequestHeader unset Range
Note that this may break certain clients - such as those used for
e-Readers and progressive/http-streaming video.
4) Deploy a Range header count module as a temporary stopgap measure:
http://people.apache.org/~dirkx/mod_rangecnt.c
5) Apply any of the current patches under discussion - such as:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3ccaapsnn2po-d-c4nqt_tes2rrwizr7urefhtkpwbc1b+k1dq...@mail.gmail.com%3e
Actions:
-----------
Apache HTTPD users who are concerned about a DoS attack against their server
should consider implementing any of the above mitigations immediately.
When using a third party attack tool to verify vulnerability - know that most
of the versions in the wild currently check for the presence of mod_deflate;
and will (mis)report that your server is not vulnerable if this module is not
present. This vulnerability is not dependent on presence or absence of that
module.
Planning:
-------------
This advisory will be updated when a fix/patch or new release is available. A
patch or new apache release for Apache 2.0 and 2.2 is expected in the next 48
hours. Note that, while popular, Apache 1.3 is deprecated.
