Team,
Apache web server need to be update. Major Linux distros already push
the update. The exploit can be use to DDoS your apache web server
without the need of many computers or zombies army.
For any setup not yet do the patching, please follow the mitigation
process from the link below.
http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3c20110824161640.122d38...@minotaur.apache.org%3E
extract from mitigation section
Mitigation:
===
However there are several immediate options to mitigate this issue until
a full fix is available:
1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.
Option 1: (Apache 2.0 and 2.2)
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
Option 2: (Also for Apache 1.3)
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]
The number 5 is arbitrary. Several 10's should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.
- Detail of the bug --
Title:Range header DoS vulnerability Apache HTTPD 1.3/2.x
CVE: CVE-2011-3192:
Date: 20110824 1600Z
Product: Apache HTTPD Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through
2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a
denial of service (memory and CPU consumption) via a Range header that
expresses multiple overlapping ranges, as exploited in the wild in
August 2011, a different vulnerability than CVE-2007-0086.
The exploit
http://www.exploit-db.com/exploits/17696/
Jumpa kumpulan pakar untuk membincangkannya. Jemputan Hari Keselamatan
ICT - OWASP Day Malaysia 2011
http://cikgucyber.blogspot.com/2011/09/jemputan-hari-keselamatan-ict-owasp-day.html
--
To unsubscribe from and detail about this group
http://portal.mosc.my/osdc-my-mailing-list-information
OSDC.my Discussion Group In Facebook
http://www.facebook.com/groups/osdcmalaysia/
Malaysia Open Source Conference 2012
MOSC2012 http://portal.mosc.my/