Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)
* Folks - do we also need to add Request-Range ?
* Updated with Rudigers comments., Eric, Florians
* Consensus that the deflate stuff needs to go out reflected.
* More Comments please. Esp. on the quality and realisticness of the
mitigtions.
* Is this the right list (and order) of the mitigations - or should
ReWrite be first ?
* Timeline mentioning fine (we've never done that before) -- or best
avoided ?
My plan is to wait for the US to fully wake up - and then call for a few quick
+1's to get this out - ideally before 1600 zulu.
Thanks,
Dw.
Title: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and
Apache 2
Date: 20110824 1600Z
# Last Updated: 20110824 1600Z
Product: Apache Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions
Description:
A denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by apache
(http://seclists.org/fulldisclosure/2011/Aug/175). An attack tool is
circulating in the wild. Active use of this tools has been observed.
The attack can be done remotely and with a modest number of requests leads to
very significant memory and CPU usage.
The default apache installation is vulnerable.
There is currently no patch/new version of apache which fixes this
vulnerability. This advisory will be updated when a long term fix is available.
A fix is expected in the next 96 hours.
Mitigation:
However are several immediate options to mitigate this issue until that time:
1) Use mod_headers to dis-allow the use of Range headers:
RequestHeader unset Range
Note that this may break certain clients - such as those used for
e-Readers and progressive/http-streaming video.
2) Use mod_rewrite to limit the number of ranges:
RewriteCond %{HTTP:range} !^bytes=[^,]+(,[^,]+){0,4}$
RewriteRule .* - [F]
3) Limit the size of the request field to a few hundred bytes. Note that
while this
keeps the offending Range header short - it may break other headers;
such as sizable
cookies or security fields.
LimitRequestFieldSize 200
Note that as the attack evolves in the field you are likely to have
to further limit this and/or impose other LimitRequestFields limits.
See:
http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
3) Deploy a Range header count module as a temporary stopgap measure:
http://people.apache.org/~dirkx/mod_rangecnt.c
5) Apply any of the current patches under discussion - such as:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3ccaapsnn2po-d-c4nqt_tes2rrwizr7urefhtkpwbc1b+k1dq...@mail.gmail.com%3e
Actions:
---
Apache HTTPD users are advised to investigate wether they are vulnerable (e.g.
allow use of the Range header )and consider implementing any of the above
mitigations immediately.
When using a third party attack tool to verify vulnerability - know that most
of the versions in the wild currently check for the presence of mod_deflate;
and will (mis)report that your server is not vulnerable if this module is not
present. This vulnerability is not dependent on presence or absence of that
module.
Planning:
-
This advisory will be updated when a fix/patch or new release is available. A
patch or new apache release for Apache 2.0 and 2.2 is expected in the next 96
hours. Note that, while popular, Apache 1.3 is deprecated.
Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)
* Is this the right list (and order) of the mitigations - or should ReWrite be first ? FWIW I don't like rewrite first because it's so unruly with being defined once per vhost + main server + RewriteEngine on. I like RequestHeader simplicity, and could be combined with SetEnvIf to only zap long malicious looking headers.
Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)
On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener cove...@gmail.com wrote:
* Is this the right list (and order) of the mitigations - or should
ReWrite be first ?
FWIW I don't like rewrite first because it's so unruly with being
defined once per vhost + main server + RewriteEngine on.
I like RequestHeader simplicity, and could be combined with SetEnvIf
to only zap long malicious looking headers.
e.g.
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
CustomLog logs/range.log %r %{Range}i %{bad-range}e
printf GET / HTTP/1.1\r\nHost:
localhost\r\nRange:bytes=0-1,2-3,4-5,5-6,7-9,10-12,11-99,44\r\n\r\n |
nc localhost 80
GET / HTTP/1.1 - 1
printf GET / HTTP/1.1\r\nHost:
localhost\r\nRange:bytes=0-1,2-3,4-5\r\n\r\n | nc localhost 80
GET / HTTP/1.1 bytes=0-1,2-3,4-5 -
--
Eric Covener
cove...@gmail.com
Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)
On Wed, Aug 24, 2011 at 9:29 AM, Eric Covener cove...@gmail.com wrote:
On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener cove...@gmail.com wrote:
* Is this the right list (and order) of the mitigations - or should
ReWrite be first ?
FWIW I don't like rewrite first because it's so unruly with being
defined once per vhost + main server + RewriteEngine on.
I like RequestHeader simplicity, and could be combined with SetEnvIf
to only zap long malicious looking headers.
e.g.
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
CustomLog logs/range.log %r %{Range}i %{bad-range}e
printf GET / HTTP/1.1\r\nHost:
localhost\r\nRange:bytes=0-1,2-3,4-5,5-6,7-9,10-12,11-99,44\r\n\r\n |
nc localhost 80
GET / HTTP/1.1 - 1
printf GET / HTTP/1.1\r\nHost:
localhost\r\nRange:bytes=0-1,2-3,4-5\r\n\r\n | nc localhost 80
GET / HTTP/1.1 bytes=0-1,2-3,4-5 -
Or more like Ruedigers:
SetEnvIf Range (,[^,]*){5,} bad-range=1
RE: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)
Reverse the order a litte bit:
2) , 3), 1) (as 1) is likely to break the most things compared to 2) and 3))
Regarding 2) see the ongoing discussion between Eric and me to find the correct
expression.
Regards
Rüdiger
-Original Message-
From: Dirk-WIllem van Gulik
Sent: Mittwoch, 24. August 2011 15:08
To: Dirk-Willem van Gulik
Cc: dev@httpd.apache.org; secur...@httpd.apache.org
Subject: Re: CVE-2011-3192: Range header DoS vulnerability in
Apache 1.3 and Apache 2 (DRAFT-3)
* Folks - do we also need to add Request-Range ?
* Updated with Rudigers comments., Eric, Florians
* Consensus that the deflate stuff needs to go out reflected.
* More Comments please. Esp. on the quality and
realisticness of the mitigtions.
* Is this the right list (and order) of the mitigations -
or should ReWrite be first ?
* Timeline mentioning fine (we've never done that before)
-- or best avoided ?
My plan is to wait for the US to fully wake up - and then
call for a few quick +1's to get this out - ideally before 1600 zulu.
Thanks,
Dw.
Title:CVE-2011-3192: Range header DoS
vulnerability in Apache 1.3 and Apache 2
Date: 20110824 1600Z
# Last Updated: 20110824 1600Z
Product: Apache Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions
Description:
A denial of service vulnerability has been found in the way
the multiple overlapping ranges are handled by apache
(http://seclists.org/fulldisclosure/2011/Aug/175). An attack
tool is circulating in the wild. Active use of this tools has
been observed.
The attack can be done remotely and with a modest number of
requests leads to very significant memory and CPU usage.
The default apache installation is vulnerable.
There is currently no patch/new version of apache which fixes
this vulnerability. This advisory will be updated when a long
term fix is available. A fix is expected in the next 96 hours.
Mitigation:
However are several immediate options to mitigate this issue
until that time:
1)Use mod_headers to dis-allow the use of Range headers:
RequestHeader unset Range
Note that this may break certain clients - such as
those used for
e-Readers and progressive/http-streaming video.
2)Use mod_rewrite to limit the number of ranges:
RewriteCond %{HTTP:range} !^bytes=[^,]+(,[^,]+){0,4}$
RewriteRule .* - [F]
3)Limit the size of the request field to a few hundred
bytes. Note that while this
keeps the offending Range header short - it may break
other headers; such as sizable
cookies or security fields.
LimitRequestFieldSize 200
Note that as the attack evolves in the field you are
likely to have
to further limit this and/or impose other
LimitRequestFields limits.
See:
http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
3)Deploy a Range header count module as a temporary
stopgap measure:
http://people.apache.org/~dirkx/mod_rangecnt.c
5)Apply any of the current patches under discussion - such as:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox
/%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.g
mail.com%3e
Actions:
---
Apache HTTPD users are advised to investigate wether they are
vulnerable (e.g. allow use of the Range header )and consider
implementing any of the above mitigations immediately.
When using a third party attack tool to verify vulnerability
- know that most of the versions in the wild currently check
for the presence of mod_deflate; and will (mis)report that
your server is not vulnerable if this module is not present.
This vulnerability is not dependent on presence or absence of
that module.
Planning:
-
This advisory will be updated when a fix/patch or new release
is available. A patch or new apache release for Apache 2.0
and 2.2 is expected in the next 96 hours. Note that, while
popular, Apache 1.3 is deprecated.
RE: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Mittwoch, 24. August 2011 15:29
To: dev@httpd.apache.org
Subject: Re: CVE-2011-3192: Range header DoS vulnerability in
Apache 1.3 and Apache 2 (DRAFT-3)
On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener
cove...@gmail.com wrote:
* Is this the right list (and order) of the
mitigations - or should ReWrite be first ?
FWIW I don't like rewrite first because it's so unruly with being
defined once per vhost + main server + RewriteEngine on.
I like RequestHeader simplicity, and could be combined with SetEnvIf
to only zap long malicious looking headers.
e.g.
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
Nice one as well. Might be even better then the rewrite rule.
Regards
Rüdiger
Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)
+1
On Aug 24, 2011, at 10:29 AM, Plüm, Rüdiger, VF-Group wrote:
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Mittwoch, 24. August 2011 15:29
To: dev@httpd.apache.org
Subject: Re: CVE-2011-3192: Range header DoS vulnerability in
Apache 1.3 and Apache 2 (DRAFT-3)
On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener
cove...@gmail.com wrote:
* Is this the right list (and order) of the
mitigations - or should ReWrite be first ?
FWIW I don't like rewrite first because it's so unruly with being
defined once per vhost + main server + RewriteEngine on.
I like RequestHeader simplicity, and could be combined with SetEnvIf
to only zap long malicious looking headers.
e.g.
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
Nice one as well. Might be even better then the rewrite rule.
Regards
Rüdiger
Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)
On Wed, 24 Aug 2011 09:30:34 -0400
Eric Covener cove...@gmail.com wrote:
Or more like Ruedigers:
SetEnvIf Range (,[^,]*){5,} bad-range=1
Or just
Untaint HTTP_RANGE (,[^,]*){5,}
Is it time to re-suggest dropping mod_taint into trunk?
--
Nick Kew
