An exploit to take advantage of the vulnerability was released on the Full Disclosure mailing list on August 20. The exploit can be used against all current Apache httpd versions and will remotely exhaust both RAM and CPU.
An Apache advisory said an attack tool to exploit the bug was circulating in the wild and active use of the tool had been observed. It added that the attack could be done remotely and, with a modest number of requests, could cause very significant memory and CPU usage on a server.
Explaining the vulnerability, veteran UNIX sysadmin Rick Moen told iTWire that a web server running the Apache HTTP daemon could be sent a large number of requests for overlapping byte regions of a single file download, leading to that web server running out of memory and being unable to do its job.
"This sort of server-overwhelming attack is possible, fundamentally, because Apache helpfully implements a standard web technical function called the Range header, which seems to be primarily used for intensive downloading uses such as some ebook downloads and some video streaming," Moen, who is based in California, said.
While the Apache Software Foundation (ASF) had said it would issue a patch within 48 hours, Moen said in the meantime, those running Apache on their servers could limit or disable use of the Range header in several ways, detailed by ASF at this URL.
"Operators should, however, check that any (legitimate) intensive downloading activities aren't impaired," Moen added.
He said the ASF was studying various ways to prevent abuse of the Range header to overwhelm Apache httpd servers while still respecting its legitimate use.
"For example, the attack script released to the Full Disclosure security mailing list sends the targeted Apache server a large number of requests for a single byte range, compressed, and there is no conceivable legitimate use for such requests," Moen pointed out.
"So, the ASF is presumably working on, more precisely, which sorts of requests should be honoured and which should not."
There has been prior warning of the vulnerability. More than four years ago, Michal Zalewski, a senior security researcher from Poland, had pointed out that both Apache and Microsoft's Internet Information Services (IIS) had what he described as "a bizarro implementation of HTTP/1.1 'Range' header functionality".
"Their implementations allow the same fragment of a file to be requested an arbitrary number of times, and each redundant part to be received separately in a separate multipart/byteranges envelope," Zalewski wrote in a post to the Bugtraq security mailing list.
"Combined with the functionality of window scaling (as per RFC 1323), it is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator. Whoops?"
Apache is by far the most widely used web server software and runs on all major operating systems. According to the internet services company, Netcraft, which conducts a monthly web survey, a little less than two-thirds of the websites it received a response from in August - a total of 301,771,518 - were running Apache. Responses were received from 463,000,317 sites in all.