BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

Apache httpd Remote Denial of Service (Memory Exhaustion)

Disclosed August 19, 2011    Fully Patched

Vulnerability Description:

Apache contains a vulnerability within httpd when handling HTTP range requests. Successful exploitation could allow an attacker to create a denial of service condition on a server running Apache.

Vendors:

Apache Software Foundation

Vulnerable Software/Devices:

Apache 1.3.x and 2.x

Vulnerability Severity:

High

Exploit Availability:

N/A

Exploit Impact:

Denial of Service
Denial of Service Condition This vulnerability could allow an attacker to cause a denial of service condition against a target, rendering the software or the entire machine inoperable.

BeyondTrust Prevention and Detection:

 

Mitigation:

Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.
 
Option 1: (Apache 2.2)
    # Drop the Range header when more than 5 ranges.    # CVE-2011-3192    SetEnvIf Range (?:,.*?){5,5} bad-range=1    RequestHeader unset Range env=bad-range      # We always drop Request-Range; as this is a legacy    # dating back to MSIE3 and Netscape 2 and 3.    RequestHeader unset Request-Range
    # optional logging.    CustomLog logs/range-CVE-2011-3192.log common env=bad-range    CustomLog logs/range-CVE-2011-3192.log common env=bad-req-range
Above may not work for all configurations. In particular situations
mod_cache and (language) modules may act before the 'unset'
is executed upon during the 'fixup' phase.
 
Option 2: (Pre 2.2 and 1.3)
    # Reject request when more than 5 ranges in the Range: header.    # CVE-2011-3192    #    RewriteEngine on    RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$)    # RewriteCond %{HTTP:request-range} !(bytes=[^,]+(?:,[^,]+){0,4}$|^$)    RewriteRule .* - [F]      # We always drop Request-Range; as this is a legacy    # dating back to MSIE3 and Netscape 2 and 3.    RequestHeader unset Request-Range
The number 5 is arbitrary. Several 10's should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.

See this mail post for more information.

Links:

CVE(s):

None

Leave a Reply