000011561 - Security scan shows a possible denial of service vulnerability

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011561
Applies ToRSA Validation Manager 3.1
RSA Validation Manager 3.1
Issue

Security scan shows a possible denial of service vulnerability


CVE-2011-3192


The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive. Exploit code is publicly available and attacks have reportedly been observed in the wild.

Resolution

We have used the test script provided in the link http://seclists.org/fulldisclosure/2011/Aug/175 to test this vulnerability. We ran with 50 child processes and memory went up to 200 MB and it's not coming down also. But there is no Apache crash observed with this test result.

The vulnerability is not dependent on the presence or absence of the module mod_deflate. This is clear from the apache mail archive link. RVM does not use the module mod_deflate.
We have tested the mitigation options provided by IBM and as well as apache.

Mitigations:
=========
1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the Range: header or reject the request.
We recommed to use mod_rewrite option to reject request if range exceeds 'n' number of bytes. We tested with SetEnvif and found that it is not restricting the ranges. The number of bytes to restrict is varying from IBM and apache. Any specific value can be given to restrict the range header, still it would be better to follow the apache way. Apache suggested a number of 5 bytes to restrict.
steps to configure:
a) In the httpd.conf, add the following lines in the virtual host section.

  1. Reject request when more than 5 ranges in the Range: header.
  2. CVE-2011-3192
    #

    RewriteEngine on

    RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)

    RewriteRule .* - [F]



     

    b)     In the httpd.conf enable the module "rewrite_module" to support the above directive.

    To do this find the line,

    #LoadModule rewrite_module modules/mod_rewrite.so

    and remove # from the line.


    We have tested with the above workaround. In case of exceeding its range header apache returns forbidden error (403).

NotesVALSRV-1600
Legacy Article IDa55886

Attachments

    Outcomes