The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

threat CVE-2011-3192

Apache httpd: denial of service via Range or Request-Range

Synthesis of the vulnerability

An attacker can use several parallel queries using Range or Request-Range, in order to progressively use the available memory.
Severity of this weakness: 2/4.
Creation date: 24/08/2011.
Revisions dates: 24/08/2011, 26/08/2011, 14/09/2011.
Références of this bulletin: BID-49303, c02997184, c03011498, c03025215, CERTA-2011-AVI-493, cisco-sa-20110830-apache, CVE-2011-3192, DSA-2298-1, DSA-2298-2, FEDORA-2011-12715, HPSBMU02704, HPSBUX02702, HPSBUX02707, KB73310, MDVSA-2011:130, MDVSA-2011:130-1, openSUSE-SU-2011, openSUSE-SU-2011:0993-1, PSN-2013-02-846, RHSA-2011:1245-01, RHSA-2011:1294-01, RHSA-2011:1300-01, RHSA-2011:1329-01, RHSA-2011:1330-01, RHSA-2011:1369-01, sk65222, SSA:2011-252-01, SSRT100606, SSRT100619, SSRT100626, SUSE-SU-2011:1000-1, SUSE-SU-2011:1007-1, SUSE-SU-2011:1010-1, SUSE-SU-2011:1215-1, SUSE-SU-2011:1216-1, VIGILANCE-VUL-10944, VU#405811.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Range header defined in the HTTP protocol indicates a byte range that server should return. For example, to obtain byte between 10 to 30 and 50 to 60:
  Range: bytes=10-30,50-60
The Request-Range header is the obsolete name of Range.

Apache processes the following objects:
 - bucket: an abstract storage area (memory, file, etc.).
 - brigade: a chained list of buckets

When Apache httpd receives a query containing the Range header, it stores each range in a brigade. However, if the range list is large, this brigade consumes a lot of memory.

An attacker can therefore use several parallel queries using Range or Request-Range, in order to progressively use the available memory.
Full Vigil@nce bulletin... (Free trial)

This computer threat impacts software or systems such as Apache httpd, CheckPoint Endpoint Security, IPSO, CheckPoint Security Gateway, CiscoWorks, Nexus by Cisco, NX-OS, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView, OpenView NNM, HP-UX, Junos Space, Junos Space Network Management Platform, Mandriva Linux, ePO, OpenSolaris, openSUSE, Oracle AS, Oracle Fusion Middleware, Solaris, RHEL, Slackware, SLES.

Our Vigil@nce team determined that the severity of this computer vulnerability alert is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this cybersecurity weakness.

Solutions for this threat

Apache httpd: version 2.2.21.
The version 2.2.21 is corrected:
  http://httpd.apache.org/download.cgi

Apache httpd: version 2.2.20.
The version 2.2.20 is corrected:
  http://httpd.apache.org/download.cgi

Apache HTTP Server: version 2.0.65.
The version 2.0.65 is fixed:
  http://httpd.apache.org/download.cgi#apache20

Apache httpd: workaround for Range and Request-Range.
The SetEnvIf directive can be used with mod_headers:
  SetEnvIf Range (,.*?){5,} bad-range=1
  RequestHeader unset Range env=bad-range
  CustomLog logs/range-CVE-2011-3192a.log common env=bad-range
  SetEnvIf Request-Range (,.*?){5,} bad-req-range=1
  RequestHeader unset Request-Range env=bad-req-range
  CustomLog logs/range-CVE-2011-3192b.log common env=bad-req-range
Another workaround is to use mod_rewrite to forbid queries containing more than 5 ranges:
  RewriteEngine on
  RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
  RewriteRule .* - [F]
  RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
  RewriteRule .* - [F]
Another workaround is to fully disable the Range and Request-Range headers with mod_headers:
  RequestHeader unset Range
  RequestHeader unset Request-Range

Apache httpd: patch for Range.
A patch is available in information sources.
This patch limits the number of ranges to 10.

Check Point Security Gateway, Endpoint Security Server: patch for Apache httpd.
The Check Point announce indicates hotfixes, and their installation procedure.

Cisco: workaround for Apache.
A workaround is indicated in the information source.

Debian: new apache2 packages.
New packages are available:
  apache2 2.2.9-10+lenny11
  apache2 2.2.16-6+squeeze3

F5 BIG-IP TMOS: version 10.2.3.
The version 10.2.3 is corrected:
  http://support.f5.com/

F5 BIG-IP TMOS: version 11.1.0.
The version 11.1.0 is corrected:
  http://support.f5.com/

Fedora 15: new httpd packages.
New packages are available:
  httpd-2.2.21-1.fc15

HP OpenView NNM: Apache version 2.2.21.
The version Apache 2.2.21 is corrected:
  ftp.usa.hp.com
  user : sb02704
  password : Secure12

HP-UX: Apache version 2.2.15.08.01.
The following version is corrected:
HP-UX Web Server Suite (WSS) v3.19 containing Apache v2.2.15.09
  https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW319
  B.11.23 & B.11.31 (32-bit) : HPUXWS22ATW-B319-32.depot
  B.11.23 & B.11.31 (64-bit) : HPUXWS22ATW-B319-64.depot

HP-UX: Apache Web Server corrected versions.
The following versions are corrected:
HP-UX Web Server Suite (WSS) v3.19 containing Apache v2.2.15.09
  https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW319
  B.11.23 & B.11.31 (32-bit) : HPUXWS22ATW-B319-32.depot
  B.11.23 & B.11.31 (64-bit) : HPUXWS22ATW-B319-64.depot
HP-UX Web Server Suite (WSS) v2.34 containing Apache v2.0.64.02
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW234
  B.11.11 : HPUXWSATW-B234-1111.depot

Junos Space: patch for Apache.
Patch 12.1P2.1 is available:
  http://www.juniper.net/support/downloads/?p=space#sw

Mandriva: new apache packages.
New packages are available:
  apache-2.2.9-12.12mdv2009.0
  apache-2.2.15-3.3mdv2010.2
  apache-2.2.21-0.1-mdv2011.0
  apache-2.2.3-1.13.20060mlcs4
  apache-2.2.9-12.12mdvmes5.2

McAfee ePolicy Orchestrator: Hotfix 701318.
The Hotfix 701318 is available:
  https://mysupport.mcafee.com/

openSUSE: new apache2 packages.
New packages are available:
  openSUSE 11.3 : apache2-2.2.15-4.7.1
  openSUSE 11.4 : apache2-2.2.17-4.9.1

Oracle AS, Fusion: patch for Apache httpd.
A patch is available:
  http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1357871.1

Red Hat Application Stack: new httpd packages.
New packages are available:
  httpd-2.2.13-3.el5s2

RHEL: new httpd packages.
New packages are available:
  httpd-2.0.52-48.ent
  httpd-2.2.3-53.el5_7.1
  httpd-2.2.15-9.el6_1.2

RHEL: new JBoss Enterprise Web Server packages.
New packages are available, as indicated in information sources.

Slackware: new httpd packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/httpd-2.2.20-i486-1_slack12.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.20-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.20-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.20-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.20-x86_64-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.20-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.20-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.20-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.20-x86_64-1_slack13.37.txz

Solaris: patch for Apache HTTP Server.
A patch is available:
Solaris 10 :
  SPARC: 120543-24
  X86: 120544-24
Solaris 11 Express :
  snv_151a + 7083183

SUSE LE 10: new apache2 packages.
New packages are available:
  SUSE LE 10 SP2 : apache2-2.2.3-16.25.40
  SUSE LE 10 SP3 : apache2-2.2.3-16.32.35.1
  SUSE LE 10 SP4 : apache2-2.2.3-16.36.1

SUSE LE 11: new apache2 packages.
New packages are available:
   apache2-2.2.12-1.18.1
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a networks vulnerabilities note. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.