[SingCERT] Apache Web Server Denial of Service Vulnerability

[ Summary ]
Apache webserver is prone to a zero-day vulnerability which can be exploited using a relatively low number of requests directed at the server to cause a Denial of Service condition.  A tool to exploit the vulnerability called "Apache Killer" has been released onto the Internet. Active use of this tool has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. The default Apache webserver installation is vulnerable.

[ Affected Systems ]
This vulnerability affects Apache Web Server:
1) Apache 1.3 (all versions)
2) Apache 2 (all versions)

[ Impact Analysis ]
Successfully exploiting this issue allows remote attackers to crash the affected webserver, denying service to legitimate users.

[ Solution/Workaround ]
Patches are currently unavailable. Agencies are advised to implement the following workarounds and mitigations where applicable.

· Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the ‘Range’ header OR reject the request:
 1) Drop the Range header when more than 5 ranges (For Apache ver. 2.0 and 2.2): 
        # Drop the Range header when more than 5 ranges.
               SetEnvIf Range (,.*?){5,} bad-range=1
               RequestHeader unset Range env=bad-range
        
             # optional logging.
               CustomLog logs/range-CVE-2011-3192.log common env=bad-range

                                                             OR

 2) Reject request when more than 5 ranges in the Range: header (For Apache ver. 1.3):
        # Reject request when more than 5 ranges in the Range: header.
               RewriteEngine on
               RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
               RewriteRule .* - [F]

· Limit the size of the request field to a few hundred bytes. Note that while this keeps the offending Range header short - it may break other headers; such as sizeable cookies or security fields.
· Use mod_headers to completely disallow the use of Range headers.
· Deploy a Range header count module as a temporary stopgap measure.

[ Reference ]
http://www.net-security.org/secworld.php?id=11513
http://www.theregister.co.uk/2011/08/24/devastating_apache_vuln/
http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_admins_of_DoS_attack_tool
http://www.h-online.com/security/news/item/Tool-causes-Apache-web-server-to-freeze-Update-1330105.html