Home Business IT Security Apache DoS bug expected to be patched in 48 hours

Subscribe now and get the news that matters to your industry.

* Your Email Address:
* First Name:
* Last Name:
Industry:
Job Function:
Australian State:
Country:
Email marketing by Interspire
weebly statistics

A serious vulnerability in the popular open source Apache web server, that could be exploited to cause a denial of service, is expected to be patched within the next 48 hours.


An exploit to take advantage of the vulnerability was released on the Full Disclosure mailing list on August 20. The exploit can be used against all current Apache httpd versions and will remotely exhaust both RAM and CPU.

An Apache advisory said an attack tool to exploit the bug was circulating in the wild and active use of the tool had been observed. It added that the attack could be done remotely and, with a modest number of requests, could cause very significant memory and CPU usage on a server.

Explaining the vulnerability, veteran UNIX sysadmin Rick Moen told iTWire that a web server running the Apache HTTP daemon could be sent a large number of requests for overlapping byte regions of a single file download, leading to that web server running out of memory and being unable to do its job.

"This sort of server-overwhelming attack is possible, fundamentally, because Apache helpfully implements a standard web technical function called the Range header, which seems to be primarily used for intensive downloading uses such as some ebook downloads and some video streaming," Moen, who is based in California, said.

While the Apache Software Foundation (ASF) had said it would issue a patch within 48 hours, Moen said in the meantime, those running Apache on their servers could limit or disable use of the Range header in several ways, detailed by ASF at this URL.

"Operators should, however, check that any (legitimate) intensive downloading activities aren't impaired," Moen added.

He said the ASF was studying various ways to prevent abuse of the Range header to overwhelm Apache httpd servers while still respecting its legitimate use.

"For example, the attack script released to the Full Disclosure security mailing list sends the targeted Apache server a large number of requests for a single byte range, compressed, and there is no conceivable legitimate use for such requests," Moen pointed out.

"So, the ASF is presumably working on, more precisely, which sorts of requests should be honoured and which should not."

There has been prior warning of the vulnerability. More than four years ago, Michal Zalewski, a senior security researcher from Poland, had pointed out that both Apache and Microsoft's Internet Information Services (IIS) had what he described as "a bizarro implementation of HTTP/1.1 'Range' header functionality".

"Their implementations allow the same fragment of a file to be requested an arbitrary number of times, and each redundant part to be received separately in a separate multipart/byteranges envelope," Zalewski wrote in a post to the Bugtraq security mailing list.

"Combined with the functionality of window scaling (as per RFC 1323), it is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator. Whoops?"

Apache is by far the most widely used web server software and runs on all major operating systems. According to the internet services company, Netcraft, which conducts a monthly web survey, a little less than two-thirds of the websites it received a response from in August - a total of 301,771,518 - were running Apache. Responses were received from 463,000,317 sites in all.

PROTECT YOURSELF AGAINST BANDWIDTH BANDITS!

Don't let traffic bottlenecks slow your network or business-critical apps to a grinding halt. With SolarWinds Bandwidth Analyzer Pack (BAP) you can gain unified network availability, performance, bandwidth, and traffic monitoring together in a single pane of glass.

With SolarWinds BAP, you'll be able to:

• Detect, diagnose, and resolve network performance issues

• Track response time, availability, and uptime of routers, switches, and other SNMP-enabled devices

• Monitor and analyze network bandwidth performance and traffic patterns.

• Identify bandwidth hogs and see which applications are using the most bandwidth

• Graphically display performance metrics in real time via dynamic interactive maps

Download FREE 30 Day Trial!

CLICK TO DOWNLOAD!

ITWIRE SERIES - IS YOUR BACKUP STRATEGY COSTING YOU CLIENTS?

Where are your clients backing up to right now?

Is your DR strategy as advanced as the rest of your service portfolio?

What areas of your business could be improved if you outsourced your backups to a trusted source?

Read the industry whitepaper and discover where to turn to for managed backup

FIND OUT MORE!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

Connect