A range header denial of service (DOS) vulnerability (CVE-2011-3192) has been identified in the Apache HTTPD server platform, the Apache development team informs. In a security advisory released yesterday, the team also warns of an attack tool circulating in the wild that is being used to exploit this vulnerability. This security hole affects all versions of Apache 1.3 and Apache 2.
According to the advisory, the Apache default installation is vulnerable to such attacks, which can be performed remotely. The developers say that this attack can cause a significant amount of CPU and memory usage in the server, with only a modest number of requests.
The DOS attack arises from the way multiple overlapping ranges are handled by the Apache HTTPD server. The tool known as ‘killapache’, surfaced in a full disclosure mailing list post last week, and active usage of the tool has been observed, warns the dev team.
Apache has promised to provide a full fix within 48 hours. In the meantime, Apache recommends several immediate steps to mitigate this issue. Options include the following:
- Use SetEnvIf or mod_rewrite to detect a large number of ranges; then either ignore the Range: header or reject the request.
- Limit the request field’s size to a few hundred bytes.
- Use mod_headers to completely disallow the use of Range headers.
- Deploying a Range header count module as a temporary stopgap measure.
- Apply patches available under discussion on this post in the Apache mailing list.
OS X users will have to wait until Apple releases a fix for the issue, since Apache comes pre-bundled with Mac OS X server. Complete details of the vulnerability and the proposed interim fixes can be found here.