corporatesoc

Vulnerability detected on Aserv-HTTP Server Prone To Slow Denial Of Service Attack

Discussion created by corporatesoc on Sep 24, 2012
Latest reply on Sep 26, 2012 by Alejandro Negron

We got following new vulnerability detected while running regular Vulnerability assessment for RSA Envision A serv:-

Following queries:-

1) Does RSA Envision use any of these?

HTTP servers that use the asynchronous I/O technique are not vulnerable to this attack. Some of those servers are: lighttpd, nginx, Apache's experimental event MPM, IIS 6,IIS7, Cherokee, etc.

2) Any method to close this vulnerability with steps?

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

HTTP Server Prone To Slow Denial Of Service Attack 5.0 Medium

 

Description:

A denial of service vulnerability is present in some HTTP servers.

 

Recommendation:

There are no patches available from the vendor at the moment of writing this document (10/16/11).

A workaround to this, although not a final solution, is to decrease the Timeout setting for Apache to 10 seconds or less, instead of the default 5 minutes. Particular considerations

have to be considered depending on each organization and the type of clients expected to connect to their web servers.

For example, the timeout and minimum data rate for receiving requests can be set by enabling the apache module "mod_reqtimeout",

http://httpd.apache.org/docs/2.3/mod/mod_reqtimeout.html

HTTP servers that use the asynchronous I/O technique are not vulnerable to this attack. Some of those servers are: lighttpd, nginx, Apache's experimental event MPM, IIS 6,

IIS7, Cherokee, etc.

 

Observation:

Apache HTTP Server is a widely used Web server. Apache -and other Web servers- bound each connection to a different process or thread.

A denial of service vulnerability is present in some HTTP servers. The DoS occurs because the server allows incomplete connections to stay open for an unnecessary period

of time. Processes are a limited resource, and thus the server cannot have infinite connections but instead a limited number of clients connected at the same time. The attacker

will create multiple slow incomplete connection requests to the server causing it to reach the connections limit and make the server to stop responding to other legit requests.

 

Common Vulnerabilities & Exposures (CVE) Link:

CVE-2009-5111 CVE-2007-6750

IAVA Reference Number

IAVA-REF-NUMBER-NOMATCH

Affected System(s)

System Criticality Operating System Port

AServ.com

 

None Windows Server 2003 http(8080)/tcp

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Outcomes