You are here

T-710: Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability

September 6, 2011 - 3:09am

Addthis

PROBLEM:

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

PLATFORM:

Apache HTTP Server versions 2.2.19 and prior

ABSTRACT:

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability.

reference LINKS:

FreeBSD VuXML Document
Advisory ID: cisco-sa-20110830-apache
IBM Alert: swg21512087
Red Hat Advisory: RHSA-2011:1245-1
CVE-2011-3192
CVE-2011-3192 (Update2)

IMPACT ASSESSMENT:

High

Discussion:

The vulnerability is due to improper processing of certain user-supplied requests by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted requests to the system. Processing such requests could cause the application to consume excessive memory, resulting in a DoS condition on the system.
To exploit this vulnerability, the attacker would need to send crafted requests to the system. Depending on the network configuration, the attacker may need access to trusted, internal networks. This access requirement decreases the likelihood of a successful exploit.

Impact:

An unauthenticated, remote attacker could exploit this vulnerability to terminate the affected software unexpectedly, resulting in a DoS condition.
The vulnerability is due to improper handling of Range and gzip Accept-Encoding headers while processing user-supplied requests by the affected software. The vulnerable software uses these range requests to perform bandwidth optimization, allowing a client to request only the interesting parts rather than a complete resource.
An unauthenticated, remote attacker could exploit this vulnerability by sending crafted requests that consist of overlapping ranges to the system Processing such requests could cause the application to compress each of the requested bytes, resulting in excessive memory consumption. A successful exploit could terminate the affected software unexpectedly, resulting in a DoS condition.

Solution:

Administrators may consider filtering requests that contain abusive HTTP Range: or Request-Range: header values. Administrators are advised to monitor affected systems. Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems. Administrators are advised to contact the vendor regarding future updates and releases.
Apache HTTP Server 2.2.20 Released
FreeBSD Ports Collection Index

Addthis