Apache Server Denial Of Service Vulnerability (CVE-2011-3192)

A new dos vulnerability has been found for last days that affected apache web server’s a lot of versions that is on running linux operating systems such as centos,redhat and suse etc.This means that this exploit that permits possible dos/ddos attacks. Thus an attacker can use this vulnerability to break your web server, if Apache didn’t have sufficient security measure.Accually Apache’s vendors has not available a patch this vulnerability yet.I did test this vulnerability to break a apache server that have infected this exploit.I have already updated our IPS’s signatures to prevent this attack, but i just want show you this attack that how is working this attack  and want to explain to protect your web server until a full patch is release.

A section of the exploit code as perl.( I don’t want to show them all of code which has been already published since 19 Aug on every security bulletin)

You may either following and seeing these steps to prevent and to understand attack’s method.

We will sending a header that has request as “bytes=0-1,0-2” to using curl.

So you are seeing a message started as http/1.1 this means that web server will  can receive a lot of new fork request until the server exhausted.(swap area will be filled)

If web server doesn’t have vulnerability , you will getting as above notification.
(-Host does not seem vulnerable.)

However if web server has this vulnerability, exploit will attacking related to host of web server.

At this morning, I received a news about the this attack from our software vendors with email.They had made some recommendations to prevent dos attack untill available a full fix.In addition I want to share you these recommendations.

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the Range: header or reject the request.

Option 1: (Apache 2.0 and 2.2)

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

Option 2: (Also for Apache 1.3)

# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192

2) Limit the size of the request field to a few hundred bytes. Note that while this keeps the offending Range header short – it may break other headers; such as sizeable cookies or security fields.

LimitRequestFieldSize 200

Note that as the attack evolves in the field you are likely to have to further limit this and/or impose other LimitRequestFields limits.

See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize

3) Use mod_headers to completely dis-allow the use of Range headers:

RequestHeader unset Range

Note that this may break certain clients – such as those used for e-Readers and progressive/http-streaming video.

4) Deploy a Range header count module as a temporary stopgap measure:
http://people.apache.org/~dirkx/mod_rangecnt.c

Precompiled binaries for some platforms are available at:
http://people.apache.org/~dirkx/BINARIES.txt

Referance:
http://www.securityfocus.com/bid/49303/info

Leave a Reply

Your email address will not be published. Required fields are marked *

İşlemin sonucunu kutuya giriniz. * Time limit is exhausted. Please reload CAPTCHA.