Recently sample code was posted publicly that exploits a denial of service vulnerability in the Apache HTTP Server. This particular vulnerability is receiving considerable industry attention given the popularity of Apache httpd and amid reports that exploitation has been seen in the wild. This vulnerability has been assigned CVE ID CVE-2011-3192 and currently scores a 7.8/6.3 using CVSS.
By combining inefficiencies inside the web server software with a protocol design peculiarity, an attacker could consume substantial server CPU and memory by issuing requests that contain many overlapping Range or Request-Range values. Successful exploitation would consume server resources to the point of starving those needed to field legitimate requests from other users.
The Apache HTTP Server team has published an advisory for the vulnerability that contains background information and possible mitigations to be used until fixed software is made available. I expect Apache will communicate fixed software availability as they typically do on their Security Vulnerabilities Page. The implementation of mitigations or evaluation of fixed software should be prioritized using an organization’s existing operational procedures. The natural tendency is to overreact when exploitation is possible in the absence of fixed software. Instead, organizations should focus operationally and invest their efforts on understanding their current situation and comparing it to established baselines.
While our Product Security Incident Response Team is evaluating the impact to our products, I wanted to share pointers to and captions from a few resources that Cisco Security Intelligence Operations has produced over the last week:
- Cisco IntelliShield Security Activity Bulletin 23983
HTTPKiller: Apache HTTP Server Denial of Service Tool
“A publicly available exploit tool that exploits a vulnerability in Apache HTTP Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. Apache has reported that active use of this tool has been observed.”
- Cisco IntelliShield Vulnerability Alert 24004
Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
“The vulnerability is due to improper processing of certain user-supplied requests by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted requests to the system. Processing such requests could cause the application to consume excessive memory, resulting in a DoS condition on the system.”
- Cisco IPS Signature 38846/0 added in Signature Pack S591
Apache Range Remote Denial of Service
“This signature detects an attempt to exploit CVE-2011-3192, a remote denial of service vulnerability discovered by Kingcope in the Apache web server.”
- Added 8/30/2011: Cisco Security Advisory cisco-sa-20110830-apache
Apache HTTPd Range Header Denial of Service Vulnerability
The Apache HTTPd server contains a denial of service vulnerability when it handles multiple, overlapping ranges. Multiple Cisco products may be affected by this vulnerability.
- Added 8/30/2011: Cisco Applied Mitigation Bulletin
Identifying and Mitigating Exploitation of the Apache HTTPd Range Header Denial of Service Vulnerability
Effective exploit prevention can be provided by the Cisco ASA 5500 Series Adaptive Security Appliance and the Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers using application layer protocol inspection.
The situation for this particular vulnerability is still developing, and as such, I will add pointers to Cisco-created documentation to this post going forward. I hope you find this information helpful, and as always, we are interested in hearing your feedback. Let us know!