The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache httpd: denial of service via Range or Request-Range

Synthesis of the vulnerability 

An attacker can use several parallel queries using Range or Request-Range, in order to progressively use the available memory.
Vulnerable products: Apache httpd, CheckPoint Endpoint Security, IPSO, CheckPoint Security Gateway, CiscoWorks, Nexus by Cisco, NX-OS, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView, OpenView NNM, HP-UX, Junos Space, Junos Space Network Management Platform, Mandriva Linux, ePO, OpenSolaris, openSUSE, Oracle AS, Oracle Fusion Middleware, Solaris, RHEL, Slackware, SLES.
Severity of this weakness: 2/4.
Creation date: 24/08/2011.
Revisions dates: 24/08/2011, 26/08/2011, 14/09/2011.
Références of this bulletin: BID-49303, c02997184, c03011498, c03025215, CERTA-2011-AVI-493, cisco-sa-20110830-apache, CVE-2011-3192, DSA-2298-1, DSA-2298-2, FEDORA-2011-12715, HPSBMU02704, HPSBUX02702, HPSBUX02707, KB73310, MDVSA-2011:130, MDVSA-2011:130-1, openSUSE-SU-2011, openSUSE-SU-2011:0993-1, PSN-2013-02-846, RHSA-2011:1245-01, RHSA-2011:1294-01, RHSA-2011:1300-01, RHSA-2011:1329-01, RHSA-2011:1330-01, RHSA-2011:1369-01, sk65222, SSA:2011-252-01, SSRT100606, SSRT100619, SSRT100626, SUSE-SU-2011:1000-1, SUSE-SU-2011:1007-1, SUSE-SU-2011:1010-1, SUSE-SU-2011:1215-1, SUSE-SU-2011:1216-1, VIGILANCE-VUL-10944, VU#405811.

Description of the vulnerability 

The Range header defined in the HTTP protocol indicates a byte range that server should return. For example, to obtain byte between 10 to 30 and 50 to 60:
  Range: bytes=10-30,50-60
The Request-Range header is the obsolete name of Range.

Apache processes the following objects:
 - bucket: an abstract storage area (memory, file, etc.).
 - brigade: a chained list of buckets

When Apache httpd receives a query containing the Range header, it stores each range in a brigade. However, if the range list is large, this brigade consumes a lot of memory.

An attacker can therefore use several parallel queries using Range or Request-Range, in order to progressively use the available memory.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat impacts software or systems such as Apache httpd, CheckPoint Endpoint Security, IPSO, CheckPoint Security Gateway, CiscoWorks, Nexus by Cisco, NX-OS, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView, OpenView NNM, HP-UX, Junos Space, Junos Space Network Management Platform, Mandriva Linux, ePO, OpenSolaris, openSUSE, Oracle AS, Oracle Fusion Middleware, Solaris, RHEL, Slackware, SLES.

Our Vigil@nce team determined that the severity of this computer vulnerability alert is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this cybersecurity weakness.

Solutions for this threat 

Apache httpd: version 2.2.21.
The version 2.2.21 is corrected:
  http://httpd.apache.org/download.cgi

Apache httpd: version 2.2.20.
The version 2.2.20 is corrected:
  http://httpd.apache.org/download.cgi

Apache HTTP Server: version 2.0.65.
The version 2.0.65 is fixed:
  http://httpd.apache.org/download.cgi#apache20

Apache httpd: workaround for Range and Request-Range.
The SetEnvIf directive can be used with mod_headers:
  SetEnvIf Range (,.*?){5,} bad-range=1
  RequestHeader unset Range env=bad-range
  CustomLog logs/range-CVE-2011-3192a.log common env=bad-range
  SetEnvIf Request-Range (,.*?){5,} bad-req-range=1
  RequestHeader unset Request-Range env=bad-req-range
  CustomLog logs/range-CVE-2011-3192b.log common env=bad-req-range
Another workaround is to use mod_rewrite to forbid queries containing more than 5 ranges:
  RewriteEngine on
  RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
  RewriteRule .* - [F]
  RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
  RewriteRule .* - [F]
Another workaround is to fully disable the Range and Request-Range headers with mod_headers:
  RequestHeader unset Range
  RequestHeader unset Request-Range

Apache httpd: patch for Range.
A patch is available in information sources.
This patch limits the number of ranges to 10.

Check Point Security Gateway, Endpoint Security Server: patch for Apache httpd.
The Check Point announce indicates hotfixes, and their installation procedure.

Cisco: workaround for Apache.
A workaround is indicated in the information source.

Debian: new apache2 packages.
New packages are available:
  apache2 2.2.9-10+lenny11
  apache2 2.2.16-6+squeeze3

F5 BIG-IP TMOS: version 10.2.3.
The version 10.2.3 is corrected:
  http://support.f5.com/

F5 BIG-IP TMOS: version 11.1.0.
The version 11.1.0 is corrected:
  http://support.f5.com/

Fedora 15: new httpd packages.
New packages are available:
  httpd-2.2.21-1.fc15

HP OpenView NNM: Apache version 2.2.21.
The version Apache 2.2.21 is corrected:
  ftp.usa.hp.com
  user : sb02704
  password : Secure12

HP-UX: Apache version 2.2.15.08.01.
The following version is corrected:
HP-UX Web Server Suite (WSS) v3.19 containing Apache v2.2.15.09
  https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW319
  B.11.23 & B.11.31 (32-bit) : HPUXWS22ATW-B319-32.depot
  B.11.23 & B.11.31 (64-bit) : HPUXWS22ATW-B319-64.depot

HP-UX: Apache Web Server corrected versions.
The following versions are corrected:
HP-UX Web Server Suite (WSS) v3.19 containing Apache v2.2.15.09
  https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW319
  B.11.23 & B.11.31 (32-bit) : HPUXWS22ATW-B319-32.depot
  B.11.23 & B.11.31 (64-bit) : HPUXWS22ATW-B319-64.depot
HP-UX Web Server Suite (WSS) v2.34 containing Apache v2.0.64.02
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW234
  B.11.11 : HPUXWSATW-B234-1111.depot

Junos Space: patch for Apache.
Patch 12.1P2.1 is available:
  http://www.juniper.net/support/downloads/?p=space#sw

Mandriva: new apache packages.
New packages are available:
  apache-2.2.9-12.12mdv2009.0
  apache-2.2.15-3.3mdv2010.2
  apache-2.2.21-0.1-mdv2011.0
  apache-2.2.3-1.13.20060mlcs4
  apache-2.2.9-12.12mdvmes5.2

McAfee ePolicy Orchestrator: Hotfix 701318.
The Hotfix 701318 is available:
  https://mysupport.mcafee.com/

openSUSE: new apache2 packages.
New packages are available:
  openSUSE 11.3 : apache2-2.2.15-4.7.1
  openSUSE 11.4 : apache2-2.2.17-4.9.1

Oracle AS, Fusion: patch for Apache httpd.
A patch is available:
  http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1357871.1

Red Hat Application Stack: new httpd packages.
New packages are available:
  httpd-2.2.13-3.el5s2

RHEL: new httpd packages.
New packages are available:
  httpd-2.0.52-48.ent
  httpd-2.2.3-53.el5_7.1
  httpd-2.2.15-9.el6_1.2

RHEL: new JBoss Enterprise Web Server packages.
New packages are available, as indicated in information sources.

Slackware: new httpd packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/httpd-2.2.20-i486-1_slack12.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.20-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.20-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.20-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.20-x86_64-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.20-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.20-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.20-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.20-x86_64-1_slack13.37.txz

Solaris: patch for Apache HTTP Server.
A patch is available:
Solaris 10 :
  SPARC: 120543-24
  X86: 120544-24
Solaris 11 Express :
  snv_151a + 7083183

SUSE LE 10: new apache2 packages.
New packages are available:
  SUSE LE 10 SP2 : apache2-2.2.3-16.25.40
  SUSE LE 10 SP3 : apache2-2.2.3-16.32.35.1
  SUSE LE 10 SP4 : apache2-2.2.3-16.36.1

SUSE LE 11: new apache2 packages.
New packages are available:
   apache2-2.2.12-1.18.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a networks vulnerabilities note. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.