The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 52484] Apache vulnerable

Discussion in 'EasyApache' started by CoreISP.net, Aug 24, 2011.

  1. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    From: dirkx @ apache.org (Dirk-Willem van Gulik)
    > Subject: Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x \(CVE-2011-3192\)
    > Date: August 24, 2011 9:16:39 AM PDT
    > To: announce@httpd.apache.org
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Apache HTTPD Security ADVISORY
    > ==============================
    >
    > Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x
    >
    > CVE: CVE-2011-3192:
    > Date: 20110824 1600Z
    > Product: Apache HTTPD Web Server
    > Versions: Apache 1.3 all versions, Apache 2 all versions
    >
    > Description:
    > ============
    >
    > A denial of service vulnerability has been found in the way the multiple
    > overlapping ranges are handled by the Apache HTTPD server:
    >
    > Full Disclosure: Apache Killer
    >
    > An attack tool is circulating in the wild. Active use of this tools has
    > been observed.
    >
    > The attack can be done remotely and with a modest number of requests can
    > cause very significant memory and CPU usage on the server.
    >
    > The default Apache HTTPD installation is vulnerable.
    >
    > There is currently no patch/new version of Apache HTTPD which fixes this
    > vulnerability. This advisory will be updated when a long term fix
    > is available.
    >
    > A full fix is expected in the next 48 hours.
    >
    > Mitigation:
    > ============
    >
    > However there are several immediate options to mitigate this issue until
    > a full fix is available:
    >
    > 1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
    > either ignore the Range: header or reject the request.
    >
    > Option 1: (Apache 2.0 and 2.2)
    >
    > # Drop the Range header when more than 5 ranges.
    > # CVE-2011-3192
    > SetEnvIf Range (,.*?){5,} bad-range=1
    > RequestHeader unset Range env=bad-range
    >
    > # optional logging.
    > CustomLog logs/range-CVE-2011-3192.log common env=bad-range
    >
    > Option 2: (Also for Apache 1.3)
    >
    > # Reject request when more than 5 ranges in the Range: header.
    > # CVE-2011-3192
    > #
    > RewriteEngine on
    > RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
    > RewriteRule .* - [F]
    >
    > The number 5 is arbitrary. Several 10's should not be an issue and may be
    > required for sites which for example serve PDFs to very high end eReaders
    > or use things such complex http based video streaming.
    >
    > 2) Limit the size of the request field to a few hundred bytes. Note that while
    > this keeps the offending Range header short - it may break other headers;
    > such as sizeable cookies or security fields.
    >
    > LimitRequestFieldSize 200
    >
    > Note that as the attack evolves in the field you are likely to have
    > to further limit this and/or impose other LimitRequestFields limits.
    >
    > See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
    >
    > 3) Use mod_headers to completely dis-allow the use of Range headers:
    >
    > RequestHeader unset Range
    >
    > Note that this may break certain clients - such as those used for
    > e-Readers and progressive/http-streaming video.
    >
    > 4) Deploy a Range header count module as a temporary stopgap measure:
    >
    > http://people.apache.org/~dirkx/mod_rangecnt.c
    >
    > Precompiled binaries for some platforms are available at:
    >
    > http://people.apache.org/~dirkx/BINARIES.txt
    >
    > 5) Apply any of the current patches under discussion - such as:
    >
    > http://mail-archives.apache.org/mod...2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com>
    >
    > Actions:
    > ========
    >
    > Apache HTTPD users who are concerned about a DoS attack against their server
    > should consider implementing any of the above mitigations immediately.
    >
    > When using a third party attack tool to verify vulnerability - know that most
    > of the versions in the wild currently check for the presence of mod_deflate;
    > and will (mis)report that your server is not vulnerable if this module is not
    > present. This vulnerability is not dependent on presence or absence of
    > that module.
    >
    > Planning:
    > =========
    >
    > This advisory will be updated when new information, a patch or a new release
    > is available. A patch or new apache release for Apache 2.0 and 2.2 is expected
    > in the next 48 hours. Note that, while popular, Apache 1.3 is deprecated.


    Will cPanel make sure the latest Apache build can be installed when released?
    And what, if anything, will cPanel do for 1.3 users? :) I dont, but just wondering :P
     
  2. krisdv

    krisdv Well-Known Member

    Joined:
    Jun 18, 2003
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Belgium
    What are the 'temporary' patches cpanel recommends for version 2.x (and hopefully 1.3)?
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    cPanel is already aware of this issue and is on top of it, as always. I don't have any more Info than that but I did contact cPanel Support last night and pointed them to this thread and was told that they are already aware of this..

    As anyone should do when they come across this sort of thing. http://go.cpanel.net/bugs :)
     
  4. ZiR

    ZiR Registered

    Joined:
    Aug 25, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Dear cPanel/WHM colleagues,

    we add next lines in /etc/httpd/conf/includes/pre_main_global.conf
    Code:
    SetEnvIf Range (,.*?){5,} bad-range=1
    RequestHeader unset Range env=bad-range
    
    And of course after that do Main >> Restart Services >> HTTP Server (Apache).

    This is just temporally solution until cPanel team release update.

    Script KillApache will report "host seems vuln" and it will be started (generating requests) but without any impact on cPanel/WHM server.

    Best Regards,
    ZiR
     
  5. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    Can cPanel please give us an update on this situation, indicating when a fix will be released for cPanel?
     
  6. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    It's not really a bug in cPanel but in third party software Apache.
    Bit strange that it should be added to bugtracker of cPanel when it is beyond their control...

    The RequestHeader + SetEnvIf modifications seem to work perfectly fine as explained in the email, however:
    new vulnerability's have been detected, the issue has expanded:


     
  7. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    Even so, cPanel needs to incorporate the updated Apache into the different releases as soon as it's available.

    OR, cPanel could in the mean time apply a patch, which could automatically have updated to thousands of cPanel server already and aviod a LOT of problems for many hosts who are totally unaware of this.

    This post has only been views 419 times so far, so very few people are actually aware of the problem
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    cPanel handles EasyApache so reporting an issue via that link is helpful to cPanel.

    EasyApache does not run on its own during updates so any update pushed out via cPanel Updates for EasyApache (changelog) would not automatically occur.
     
  9. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator

    Yes, I'm aware of that. But, couldn't cPanel push a temporary patch without having to rebuild Apache completely? ZIR's quick fix could easily be scripted and doesn't need a full Apache rebuild to work.

    .... this is just a suggestion
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    cPanel Support will have a response for this thread soon.
     
  11. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    That quick patch is suggested by Apache *but* it can break the Apache.
    Hence the other 5 options. Mod Rewrite being one of them, though with sufficient requests it can still cause a significant raise in the CPU load. I ran multiple tests today, systems did not actually go swapping but CPU load will still raise if Option 1 in the Apache suggestion (Also posted by ZIR) will not work. (Apache wont restart if it will not work)

    Though, default cPanel apache configurations should actually work with it.
    Best to keep it in check though :)

    On a sidenote: Nginx is not harmed by this at all... Putting nginx in front of your Apache will make sure the attack has zero effect.
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    From cPanel Support:

    --

    We are aware of the Denial of Service issue (CVE-2011-3192) recently reported here:
    Full Disclosure: Apache Killer

    At this time Apache is currently working to release a patch to Versions 2.0 and 2.2 of their Httpd server within the next 24 hours.

    Once we have the updated software we will test it in house and then release for 2.2 and 2.0. We will also attempt to backport the changes to our 1.3 branch of Apache if possible. Should a 1.3 patch not be possible you will either need to upgrade or keep the following includes in place at all times to mitigate this issue.

    Please keep in mind these timetables are not firm but be assured we will work as quickly as possible to get everyone updated.

    You will need to add the following in the Include Editor:
    (WHM -> Service Configuration -> Apache Configuration -> Include Editor)

    Under 'Pre Main Include' please choose your version of Apache from the drop down list and in the box include the following:

    If Apache Version = 2.2.x enter the following:

    SetEnvIf Range (,.*?){5,} bad-range=1
    RequestHeader unset Range env=bad-range


    If Apache Version = 2.0.x or 1.3.x enter the following:

    RewriteEngine on
    RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
    RewriteRule .* - [F]

    Then click the Update button.


    You will see that the configuration has been updated and will then need to click the 'Restart Apache' button.
    You should then see the 'Apache successfully restarted.'
     
  13. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Is there any way to test to be sure we've properly implemented the fix? One script that is in the wild, "killapache.pl" (Google it, easy to find), shows "Not killing Apache but appears vulnerable". Perhaps this is the normal and expected result from this patch?

    - Scott
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The script is in the first post at the link just above as well. I do believe thats the expected result for now.

    Just to add for anyone reading this, don't open that file if you're not sure if your computer is protected or not.
     
  15. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Ya, the reply from cPanel is pretty much what Apache already told us and what is in the first thing I posted on here :p
    Nothing new there. And Apache's "24 hours" appears to be rather strechy. Not that I mind as long as the proposed patches work this far. It's funny though.

    The script is harmless, I have it running on several testing servers.
    The desired effect I got was like this:

    [~]# perl killapache_pl.bin coreisp.nl 50
    host seems vuln
    ATTACKING coreisp.nl [using 50 forks]
    :pPpPpppPpPPppPpppPp
    ATTACKING coreisp.nl [using 50 forks]
    :pPpPpppPpPPppPpppPp
    ATTACKING coreisp.nl [using 50 forks]
    :pPpPpppPpPPppPpppPp
    ATTACKING coreisp.nl [using 50 forks]
    :pPpPpppPpPPppPpppPp
    ATTACKING coreisp.nl [using 50 forks]
    :pPpPpppPpPPppPpppPp


    The script cannot run, it keeps getting terminated.
    I applied both rules though.
    Before I did it was attacking perfectly fine.

    Best solution this far appears to be putting nginx in front of it though, that kills the script instantly ;)
     
  16. rgpayne

    rgpayne Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Texas
    any further reply from cpanel/apache people?
     
  17. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    As what usually is the case with opensource projects that rely on multiple people, the 24 to 48 hours to "get it fixed" appears to be taking quite a bit longer...

    So: No word from Apache yet.

    *However*, the people that wrote the scripts have let us know something new...
    Apache is more vulnerable then we thought. They found another issue with Request-Range...
    More to patch so it seems.
     
  18. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    I have to correct myself after more tests.
    Nginx is vulnerable to this attack. For most script kiddies it will seem invulnerable, however if you disable the security tests in the script that look for the Apache modules and start attacking nginx: Watch your CPU load sky rocket...
     
  19. ugaitzg

    ugaitzg Registered

    Joined:
    Feb 3, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Any further info? Nothing?
     
  20. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...
Similar Threads - [Case 52484] Apache
  1. guldvog
    Replies:
    10
    Views:
    1,676

Share This Page