Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E4D248DDB for ; Wed, 24 Aug 2011 14:57:22 +0000 (UTC) Received: (qmail 76413 invoked by uid 500); 24 Aug 2011 14:57:19 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 75998 invoked by uid 500); 24 Aug 2011 14:57:18 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 75877 invoked by uid 99); 24 Aug 2011 14:57:18 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Aug 2011 14:57:18 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of dirkx@webweaving.org designates 178.18.23.51 as permitted sender) Received: from [178.18.23.51] (HELO pikmeer.webweaving.org) (178.18.23.51) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Aug 2011 14:57:12 +0000 Received: from [192.168.1.100] (188.29.93.72.threembb.co.uk [188.29.93.72]) (authenticated bits=0) by pikmeer.webweaving.org (8.14.4/8.14.4) with ESMTP id p7OEuDYJ072617 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Wed, 24 Aug 2011 14:56:46 GMT (envelope-from dirkx@webweaving.org) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Apple Message framework v1244.3) Subject: Re: VOTES please -- CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (Final-6) From: Dirk-Willem van Gulik In-Reply-To: Date: Wed, 24 Aug 2011 15:56:17 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <7E653E0C-1FF7-4F3C-9203-84295A456833@webweaving.org> References: <5E9A092C-A449-4318-8A31-FA0481EB04B7@webweaving.org> <36F0D63B-451E-4F43-9F0F-5EA96A699427@webweaving.org> To: dev@httpd.apache.org X-Mailer: Apple Mail (2.1244.3) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (pikmeer.webweaving.org [178.18.23.51]); Wed, 24 Aug 2011 14:56:46 +0000 (UTC) Various suggest on-list and off-list fixes applied. Thanks all. A few more +1's would be nice :) Dw. Title: CVE-2011-3192: Range header DoS vulnerability Apache HTTPD = 1.3/2.x Apache HTTPD Security ADVISORY Date: 20110824 1600Z Product: Apache HTTPD Web Server Versions: Apache 1.3 all versions, Apache 2 all versions Description: ------------ A denial of service vulnerability has been found in the way the multiple = overlapping ranges are handled by the Apache HTTPD server: http://seclists.org/fulldisclosure/2011/Aug/175 =20 An attack tool is circulating in the wild. Active use of this tools has = been observed. The attack can be done remotely and with a modest number of requests can = cause very significant memory and CPU usage on the server.=20 The default Apache HTTPD installation is vulnerable. There is currently no patch/new version of Apache HTTPD which fixes this = vulnerability. This advisory will be updated when a long term fix is = available.=20 A full fix is expected in the next 48 hours.=20 Mitigation: ------------ However there are several immediate options to mitigate this issue until = that time.=20 1) Use mod_rewrite to limit the number of ranges: Option 1: # drop Range header when more than 5 ranges. # CVE-2011-3192 SetEnvIf Range (,.*?){5,} bad-range=3D1 RequestHeader unset Range env=3Dbad-range # optional logging. CustomLog logs/range-CVE-2011-3192.log common env=3Dbad-range Option 2: # Reject request when more than 5 ranges in the Range: header. # CVE-2011-3192 # RewriteCond %{HTTP:range} !(^bytes=3D[^,]+(,[^,]+){0,4}$|^$) RewriteRule .* - [F] The number 5 is arbitrary. Several 10's should not be an issue and = may be required for sites which for example serve PDFs to very high end = eReaders or use things such complex http based video streaming. 2) Limit the size of the request field to a few hundred bytes. Note that = while this keeps the offending Range header short - it may break other headers; = such as=20 sizeable cookies or security fields.=20 LimitRequestFieldSize 200 Note that as the attack evolves in the field you are likely to have to further limit this and/or impose other LimitRequestFields limits. See: = http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize 3) Use mod_headers to completely dis-allow the use of Range headers: RequestHeader unset Range=20 Note that this may break certain clients - such as those used for e-Readers and progressive/http-streaming video. 4) Deploy a Range header count module as a temporary stopgap measure: http://people.apache.org/~dirkx/mod_rangecnt.c Precompiled binaries for some platforms are available at: http://people.apache.org/~dirkx/BINARIES.txt 5) Apply any of the current patches under discussion - such as: = http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAAPSnn2= PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3e Actions: ----------- Apache HTTPD users who are concerned about a DoS attack against their = server should consider implementing any of the above mitigations = immediately.=20 When using a third party attack tool to verify vulnerability - know that = most of the versions in the wild currently check for the presence of = mod_deflate; and will (mis)report that your server is not vulnerable if = this module is not present. This vulnerability is not dependent on = presence or absence of that module. Planning: ------------- This advisory will be updated when new information, a patch or a new = release is available. A patch or new apache release for Apache 2.0 and = 2.2 is expected in the next 48 hours. Note that, while popular, Apache = 1.3 is deprecated.