httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)
Date Wed, 24 Aug 2011 14:20:18 GMT
Reverse the order a litte bit:

2) , 3), 1) (as 1) is likely to break the most things compared to 2) and 3))

Regarding 2) see the ongoing discussion between Eric and me to find the correct expression.

Regards

Rüdiger

> -----Original Message-----
> From: Dirk-WIllem van Gulik
> Sent: Mittwoch, 24. August 2011 15:08
> To: Dirk-Willem van Gulik
> Cc: dev@httpd.apache.org; security@httpd.apache.org
> Subject: Re: CVE-2011-3192: Range header DoS vulnerability in 
> Apache 1.3 and Apache 2 (DRAFT-3)
> 
> *	Folks - do we also need to add Request-Range ?
> 
> *	Updated with Rudigers comments., Eric, Florians
> 
> *	Consensus that the deflate stuff needs to go out reflected.
> 
> *	More Comments please. Esp. on the quality and 
> realisticness of the mitigtions.
> 
> *	Is this the right list (and order) of the mitigations - 
> or should ReWrite be first ?
> 
> *	Timeline mentioning fine (we've never done that before) 
> -- or best avoided ?
> 
> My plan is to wait for the US to fully wake up - and then 
> call for a few quick +1's to get this out - ideally before 1600 zulu.
> 
> Thanks,
> 
> Dw.
> 
> 
> 
> 
> 
> 
> 
> Title:	    CVE-2011-3192: Range header DoS 
> vulnerability in Apache 1.3 and Apache 2
> Date:       20110824 1600Z
> # Last Updated:  20110824 1600Z
> Product:   Apache Web Server
> Versions:  Apache 1.3 all versions, Apache 2 all versions
> 
> Description:
> ------------
> 
> A denial of service vulnerability has been found in the way 
> the multiple overlapping ranges are handled by apache 
> (http://seclists.org/fulldisclosure/2011/Aug/175).  An attack 
> tool is circulating in the wild. Active use of this tools has 
> been observed.
> 
> The attack can be done remotely and with a modest number of 
> requests leads to very significant memory and CPU usage. 
> 
> The default apache installation is vulnerable.
> 
> There is currently no patch/new version of apache which fixes 
> this vulnerability. This advisory will be updated when a long 
> term fix is available. A fix is expected in the next 96 hours. 
> 
> Mitigation:
> ------------
> 
> However are several immediate options to mitigate this issue 
> until that time:
> 
> 1)	Use mod_headers to dis-allow the use of Range headers:
> 
> 		RequestHeader unset Range 
> 
> 	Note that this may break certain clients - such as 
> those used for
> 	e-Readers and progressive/http-streaming video.
> 
> 2)	Use mod_rewrite to limit the number of ranges:
> 
> 	RewriteCond %{HTTP:range} !^bytes=[^,]+(,[^,]+){0,4}$
> 	RewriteRule .* - [F]
> 
> 3)	Limit the size of the request field to a few hundred 
> bytes. Note that while this
> 	keeps the offending Range header short - it may break 
> other headers; such as sizable
> 	cookies or security fields. 
> 
> 		LimitRequestFieldSize 200
> 
> 	Note that as the attack evolves in the field you are 
> likely to have
> 	to further limit this and/or impose other 
> LimitRequestFields limits.
> 
> 	See: 	
> http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
> 
> 3)	Deploy a Range header count module as a temporary 
> stopgap measure:
> 
> 	http://people.apache.org/~dirkx/mod_rangecnt.c
> 
> 5)	Apply any of the current patches under discussion - such as:
> 
> 	
> http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox
> /%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.g
> mail.com%3e
> 
> 
> Actions:
> -----------
> Apache HTTPD users are advised to investigate wether they are 
> vulnerable (e.g. allow use of the Range header )and consider 
> implementing any of the above mitigations immediately. 
> 
> When using a third party attack tool to verify vulnerability 
> - know that most of the versions in the wild currently check 
> for the presence of mod_deflate; and will (mis)report that 
> your server is not vulnerable if this module is not present. 
> This vulnerability is not dependent on presence or absence of 
> that module.
> 
> Planning:
> -------------
> 
> This advisory will be updated when a fix/patch or new release 
> is available. A patch or new apache release for Apache 2.0 
> and 2.2 is expected in the next 96 hours. Note that, while 
> popular, Apache 1.3 is deprecated. 
> 
> 
> 
> 
> 
> 
> 
> 

Mime
View raw message