Home Business IT Security Apache DoS bug expected to be patched in 48 hours
Get all your tech news delivered to your mail box five days a week
iTWire UPDATE - it's FREE!


A serious vulnerability in the popular open source Apache web server, that could be exploited to cause a denial of service, is expected to be patched within the next 48 hours.


An exploit to take advantage of the vulnerability was released on the Full Disclosure mailing list on August 20. The exploit can be used against all current Apache httpd versions and will remotely exhaust both RAM and CPU.

An Apache advisory said an attack tool to exploit the bug was circulating in the wild and active use of the tool had been observed. It added that the attack could be done remotely and, with a modest number of requests, could cause very significant memory and CPU usage on a server.

Explaining the vulnerability, veteran UNIX sysadmin Rick Moen told iTWire that a web server running the Apache HTTP daemon could be sent a large number of requests for overlapping byte regions of a single file download, leading to that web server running out of memory and being unable to do its job.

"This sort of server-overwhelming attack is possible, fundamentally, because Apache helpfully implements a standard web technical function called the Range header, which seems to be primarily used for intensive downloading uses such as some ebook downloads and some video streaming," Moen, who is based in California, said.

While the Apache Software Foundation (ASF) had said it would issue a patch within 48 hours, Moen said in the meantime, those running Apache on their servers could limit or disable use of the Range header in several ways, detailed by ASF at this URL.

"Operators should, however, check that any (legitimate) intensive downloading activities aren't impaired," Moen added.

He said the ASF was studying various ways to prevent abuse of the Range header to overwhelm Apache httpd servers while still respecting its legitimate use.

"For example, the attack script released to the Full Disclosure security mailing list sends the targeted Apache server a large number of requests for a single byte range, compressed, and there is no conceivable legitimate use for such requests," Moen pointed out.

"So, the ASF is presumably working on, more precisely, which sorts of requests should be honoured and which should not."

There has been prior warning of the vulnerability. More than four years ago, Michal Zalewski, a senior security researcher from Poland, had pointed out that both Apache and Microsoft's Internet Information Services (IIS) had what he described as "a bizarro implementation of HTTP/1.1 'Range' header functionality".

"Their implementations allow the same fragment of a file to be requested an arbitrary number of times, and each redundant part to be received separately in a separate multipart/byteranges envelope," Zalewski wrote in a post to the Bugtraq security mailing list.

"Combined with the functionality of window scaling (as per RFC 1323), it is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator. Whoops?"

Apache is by far the most widely used web server software and runs on all major operating systems. According to the internet services company, Netcraft, which conducts a monthly web survey, a little less than two-thirds of the websites it received a response from in August - a total of 301,771,518 - were running Apache. Responses were received from 463,000,317 sites in all.

ITWIRE SERIES - REVENUE-CRITICAL APPS UNDERPERFORMING?

Avoid War Room Scenarios and improve handling of critical application problems:

• Track all transactions, end-to-end, all the time and know what your users experience 24/7

• View code level details with context and repair problems quickly

• Fix problems in minutes before they wreak havoc

• Optimize your most important applications, Java, .NET, PHP, C/C++ and many more

Start your free trial today!

CLICK FOR FREE TRIAL!

ITWIRE SERIES - IS YOUR BACKUP STRATEGY COSTING YOU CLIENTS?

Where are your clients backing up to right now?

Is your DR strategy as advanced as the rest of your service portfolio?

What areas of your business could be improved if you outsourced your backups to a trusted source?

Read the industry whitepaper and discover where to turn to for managed backup

FIND OUT MORE!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

Connect