Apache exploit may crash your server – heres how to fix it

We have picked up that there was an exploit in Apache which can result in your server running out of memory. the discovery was noticed quiet some time ago, but never fixed, and it seems to have reared its head publicly resulting in some people actively attacking.

There is no patch for apache as yet, however you can do a few things to stop it affecting you.

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.

Option 1: (Apache 2.0 and 2.2)

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Option 2: (Also for Apache 1.3)

# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]

The number 5 is arbitrary. Several 10's should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.

2) Limit the size of the request field to a few hundred bytes. Note that while
this keeps the offending Range header short - it may break other headers;
such as sizeable cookies or security fields.

LimitRequestFieldSize 200

Note that as the attack evolves in the field you are likely to have
to further limit this and/or impose other LimitRequestFields limits.

See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize

3) Use mod_headers to completely dis-allow the use of Range headers:

RequestHeader unset Range

Note that this may break certain clients - such as those used for
e-Readers and progressive/http-streaming video.
4) Deploy a Range header count module as a temporary stopgap measure: http://people.apache.org/~dirkx/mod_rangecnt.c

Precompiled binaries for some platforms are available at: http://people.apache.org/~dirkx/BINARIES.txt

Because each system is different, and the requirements for each system vary, there is no one sure way to fix each system. If you are unsure what one to use, or need help fixing that, just drop us an email and we can sort that out for you.

This entry was posted in Security and tagged , , , , , , , . Bookmark the permalink.

One Response to Apache exploit may crash your server – heres how to fix it

  1. Marcus says:

    Thanks for the heads up. I googled for it and found a one hour old conversation on stackoverflow where a fellow admin was being attacked, got unset Range recommended by someone and then wrote back to say thanks.