[osdcmy] Urgent : Apache Server Need To Be Patch - CVE-2011-3192 - DDoS Exploit

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[osdcmy] Urgent : Apache Server Need To Be Patch - CVE-2011-3192 - DDoS Exploit

Harisfazillah Jamel-2

Apache web server need to be update. Major Linux distros already push
the update. The exploit can be use to DDoS your apache web server
without  the need of many computers or zombies army.

For any setup not yet do the patching, please follow the mitigation
process from the link below.


---- extract from mitigation section ----


However there are several immediate options to mitigate this issue until
a full fix is available:

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
   either ignore the Range: header or reject the request.

   Option 1: (Apache 2.0 and 2.2)

          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range

          # optional logging.
          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

   Option 2: (Also for Apache 1.3)

          # Reject request when more than 5 ranges in the Range: header.
          # CVE-2011-3192
          RewriteEngine on
          RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
          RewriteRule .* - [F]

   The number 5 is arbitrary. Several 10's should not be an issue and may be
   required for sites which for example serve PDFs to very high end eReaders
   or use things such complex http based video streaming.

--------- Detail of the bug ------

Title:    Range header DoS vulnerability Apache HTTPD 1.3/2.x

CVE:      CVE-2011-3192:
Date:     20110824 1600Z
Product:  Apache HTTPD Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions


The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through
2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a
denial of service (memory and CPU consumption) via a Range header that
expresses multiple overlapping ranges, as exploited in the wild in
August 2011, a different vulnerability than CVE-2007-0086.

The exploit


Jumpa kumpulan pakar untuk membincangkannya. Jemputan Hari Keselamatan
ICT - OWASP Day Malaysia 2011


To unsubscribe from and detail about this group http://portal.mosc.my/osdc-my-mailing-list-information

OSDC.my Discussion Group In Facebook

Malaysia Open Source Conference 2012
MOSC2012 http://portal.mosc.my/