A range header denial of service (DOS) vulnerability (CVE-2011-3192) has been identified in the Apache HTTPD server platform, the Apache development team informs. In a security advisory released yesterday, the team also warns of an attack tool circulating in the wild that is being used to exploit this vulnerability. This security hole affects all versions of Apache 1.3 and Apache 2.
According to the advisory, the Apache default installation is vulnerable to such attacks, which can be performed remotely. The developers say that this attack can cause a significant amount of CPU and memory usage in the server, with only a modest number of requests.
The DOS attack arises from the way multiple overlapping ranges are handled by the Apache HTTPD server. The tool known as ‘killapache’, surfaced in a full disclosure mailing list post last week, and active usage of the tool has been observed, warns the dev team.
Apache has promised to provide a full fix within 48 hours. In the meantime, Apache recommends several immediate steps to mitigate this issue. Options include the following:
- Use SetEnvIf or mod_rewrite to detect a large number of ranges; then either
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
- ignore the Range: header or reject the request.
- Limit the request field’s size to a few hundred bytes.
- Use mod_headers to completely disallow the use of Range headers.
- Deploying a Range header count module as a temporary stopgap measure.
- Apply patches available under discussion on this post in the Apache mailing list.
OS X users will have to wait until Apple releases a fix for the issue, since Apache comes pre-bundled with Mac OS X server. Complete details of the vulnerability and the proposed interim fixes can be found here.
See also