Patch Promise For Apache Killer DoS Vulnerability

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.,

Apache has promised to patch a vulnerability that exposes Web servers to denial of service attacks

A denial-of-service tool that exploits a security flaw in the Apache Web server software has been found in the wild. The Apache team is working on a fix and is expected to roll it out over the next few days.

Called “Apache Killer”, the DoS tool appeared on the August 19 “Full Disclosure” security mailing list. A few days later, the Apache Software Foundation acknowledged the existence of  the vulnerability targeted by the tool and promised a fix for Apache 2.0 and 2.2 “in the next 96 hours”.

Apache Killer On The Warpath

Apache is the most widely used Web server software in the world, accounting for 65.2 percent of all such software currently in use, according to UK-based security consultancy Netcraft. The Apache team said all versions of the software in the 1.3 and 2.0 lines have the DoS bug and are vulnerable to attack. Apache 1.3 is no longer supported and administrators should have moved on to more recent versions already.

“An attack tool is circulating in the wild. Active use of this tool has been observed,” according to a security advisory from the Apache project.

The Web server software has a flaw in how multiple overlapping HTTP ranges are handled, the team said in the security advisory. The attack can be launched remotely and a “modest number of requests” can consume significant amounts of memory and CPU on the server, according to the advisory.

The bug was first reported in 2007 on the bugtraq Website by Michal Zalewski, a Google security engineer. Zalewski had said at the time that launching a DoS attack taking advantage of the flaw would be simplistic.

“A lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator. Whoops?” he wrote in the initial report.

A researcher under the name of Kingcope posted about the bug on Full Disclosure last week. The post was accompanied by a Perl script to execute an attack that could exhaust the memory of a remote Apache server “rather quickly”, Ryan Barnett, senior security researcher at Trustwave wrote on the SpiderLabs Anterior blog.

When executed, the script sends malicious HTTP Range Request headers for large amounts of data. Apache breaks up the large requests into smaller chunks but the malicious request is sizeable enough to tie up system resources in processing each of the chunks, according to Barnett.

“It appears, due to its lack of sophistication, that it did not get much attention by Apache developers and it has remained unpatched all of this time,” said Kevin Shortt, an incident handler at SAN Institute’s Internet Storm Centre.

Trustwave added new rules to ModSecurity, a widely deployed Web application firewall, to mitigate the attack. The new ModSecurity rules are intended to be a temporary measure not a permanent fix as “the core issue should certainly be addressed within the Apache code itself,” Barnett said.

Apache recommended that administrators “investigate whether they are vulnerable” to the DoS attack and provided several mitigation steps to protect Web servers until a patch is available.

Administrators can use mod_headers to disallow range headers altogether or use mod_rewrite to limit the number of ranges that are being handled, according to the advisory. However, mod_headers may break certain clients, such as those used by e-readers and streaming Web video streaming.

They can also deploy a range header count module as a stopgap measure or limit the size of the request field to a few hundred bytes to keep the range header short. The change may affect sizeable cookies and security fields. As threats evolve, the request field may need to be limited further, the team warned. It may also be possible to disable compression on the fly by removing mod_deflate as a loaded module, according to the security advisory.

Administrators running a Mac-based server with Apache will have to wait for Apple to deliver a patch because that version of the Web Server is bundled inside Mac OS X and maintained by the operating system developers.