Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Received-SPF: pass (nike.apache.org: domain of covener@gmail.com designates
 209.85.210.44 as permitted sender)
MIME-Version: 1.0
In-Reply-To: <7E653E0C-1FF7-4F3C-9203-84295A456833@webweaving.org>
References: <BA466680-B2C9-4F53-ABB9-0CD61BBF6CD9@bbc.co.uk>
	<5E9A092C-A449-4318-8A31-FA0481EB04B7@webweaving.org>
	<FD9014C7-7258-4879-AEF8-86F156E6FCFA@webweaving.org>
	<CALK=YjP2_-vkfO4WOvS9JdHN0m7aVgR57895SL9qiFG76kL1yw@mail.gmail.com>
	<CALK=YjPk4N9U=zsM5m8fw4JmKjggvekxjCOo_hmzZV-gKuGJhg@mail.gmail.com>
	<36F0D63B-451E-4F43-9F0F-5EA96A699427@webweaving.org>
	<E563FB5AB3F02844AC749BA39E494AB4052FBF36@VF-MBX11.internal.vodafone.com>
	<CALK=YjNQX35FDFF33fRpfbj2xjH3uprp+Y+zkCzkPwmZHEVoXw@mail.gmail.com>
	<7E653E0C-1FF7-4F3C-9203-84295A456833@webweaving.org>
Date: Wed, 24 Aug 2011 10:59:38 -0400
Message-ID: 
 <CALK=YjMd1Oek9Q9ydLWgYYSxL7idE87BbOTHrjn2LxLR6miGXA@mail.gmail.com>
Subject: Re: VOTES please -- CVE-2011-3192: Range header DoS vulnerability in
 Apache 1.3 and Apache 2 (Final-6)
From: Eric Covener <covener@gmail.com>
To: dev@httpd.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

see inline updates

On Wed, Aug 24, 2011 at 10:56 AM, Dirk-Willem van Gulik
<dirkx@webweaving.org> wrote:
> Various suggest on-list and off-list fixes applied. Thanks all.
>
> A few more +1's would be nice :)
>
> Dw.
>
>
>
>
>
> Title: =A0 =A0CVE-2011-3192: Range header DoS vulnerability Apache HTTPD =
1.3/2.x
> =A0 =A0 =A0 =A0 =A0Apache HTTPD Security ADVISORY
>
> Date: =A0 =A0 20110824 1600Z
> Product: =A0Apache HTTPD Web Server
> Versions: Apache 1.3 all versions, Apache 2 all versions
>
> Description:
> ------------
>
> A denial of service vulnerability has been found in the way the multiple =
overlapping ranges are handled by the Apache HTTPD server:
>
> =A0 =A0 http://seclists.org/fulldisclosure/2011/Aug/175
>
> An attack tool is circulating in the wild. Active use of this tools has b=
een observed.
>
> The attack can be done remotely and with a modest number of requests can =
cause very significant memory and CPU usage on the server.
>
> The default Apache HTTPD installation is vulnerable.
>
> There is currently no patch/new version of Apache HTTPD which fixes this =
vulnerability. This advisory will be updated when a long term fix is availa=
ble.
>
> A full fix is expected in the next 48 hours.
>
> Mitigation:
> ------------
>
> However there are several immediate options to mitigate this issue until =
that time.
>
> 1) Use mod_rewrite to limit the number of ranges:

^ clarify due to directive addition

>
> =A0 Option 1:
> =A0 =A0 =A0 =A0 =A0# drop Range header when more than 5 ranges.
> =A0 =A0 =A0 =A0 =A0# CVE-2011-3192
> =A0 =A0 =A0 =A0 =A0SetEnvIf Range (,.*?){5,} bad-range=3D1
> =A0 =A0 =A0 =A0 =A0RequestHeader unset Range env=3Dbad-range
>
> =A0 =A0 =A0 =A0 =A0# optional logging.
> =A0 =A0 =A0 =A0 =A0CustomLog logs/range-CVE-2011-3192.log common env=3Dba=
d-range
>
> =A0 Option 2:
> =A0 =A0 =A0 =A0 =A0# Reject request when more than 5 ranges in the Range:=
 header.
> =A0 =A0 =A0 =A0 =A0# CVE-2011-3192. Must be added to each VirtualHost and=
 once
> =A0 =A0 =A0 =A0 =A0# in the base configuration.

+RewriteEngine on

> =A0 =A0 =A0 =A0 =A0RewriteCond %{HTTP:range} !(^bytes=3D[^,]+(,[^,]+){0,4=
}$|^$)
> =A0 =A0 =A0 =A0 =A0RewriteRule .* - [F]
>
> =A0 The number 5 is arbitrary. Several 10's should not be an issue and ma=
y be
> =A0 required for sites which for example serve PDFs to very high end eRea=
ders
> =A0 or use things such complex http based video streaming.
>
> 2) Limit the size of the request field to a few hundred bytes. Note that =
while this
> =A0 keeps the offending Range header short - it may break other headers; =
such as
> =A0 sizeable cookies or security fields.
>
> =A0 =A0 =A0 =A0 =A0LimitRequestFieldSize 200
>
> =A0 Note that as the attack evolves in the field you are likely to have
> =A0 to further limit this and/or impose other LimitRequestFields limits.
>
> =A0 See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfield=
size
>
> 3) Use mod_headers to completely dis-allow the use of Range headers:
>
> =A0 =A0 =A0 =A0 =A0RequestHeader unset Range
>
> =A0 Note that this may break certain clients - such as those used for
> =A0 e-Readers and progressive/http-streaming video.
>
> 4) Deploy a Range header count module as a temporary stopgap measure:
>
> =A0 =A0 http://people.apache.org/~dirkx/mod_rangecnt.c
>
> =A0 Precompiled binaries for some platforms are available at:
>
> =A0 =A0 =A0 =A0http://people.apache.org/~dirkx/BINARIES.txt
>
> 5) Apply any of the current patches under discussion - such as:
>
> =A0 http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAA=
PSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3e
>
> Actions:
> -----------
> Apache HTTPD users who are concerned about a DoS attack against their ser=
ver should consider implementing any of the above mitigations immediately.
>
> When using a third party attack tool to verify vulnerability - know that =
most of the versions in the wild currently check for the presence of mod_de=
flate; and will (mis)report that your server is not vulnerable if this modu=
le is not present. This vulnerability is not dependent on presence or absen=
ce of that module.
>
> Planning:
> -------------
> This advisory will be updated when new information, a patch or a new rele=
ase is available. A patch or new apache release for Apache 2.0 and 2.2 is e=
xpected in the next 48 hours. Note that, while popular, Apache 1.3 is depre=
cated.
>
>


--=20
Eric Covener
covener@gmail.com