Apache Confirms DoS Vulnerability in Web Server, Promises Quick Patch

Apache has promised a patch in the "next 96 hours" to fix the vulnerability that exposes Web servers running the Apache software to denial of service attacks.

A denial-of-service tool that exploits a security flaw in the Apache Web server software is available in the wild. The Apache team is working on a fix and is expected to roll it out over the next few days.

Called "Apache Killer," the DoS tool appeared Aug. 19 on the "Full Disclosure" security mailing list. The Apache Software Foundation acknowledged on Aug. 24 that the vulnerability the tool targets existed, and promised a fix for Apache 2.0 and 2.2 "in the next 96 hours."

Apache is the most widely used Web server software in the world, accounting for 65.2 percent of all such software currently in use, according to United Kingdom-based security consultancy Netcraft. The Apache team said all versions of the software in the 1.3 and 2.0 lines have the DoS bug and are vulnerable to attack. Apache 1.3 is no longer supported and administrators should have moved on to more recent versions already.

"An attack tool is circulating in the wild. Active use of this tool has been observed," according to a security advisory from the Apache project.

The Web server software has a flaw in how multiple overlapping HTTP ranges are handled, the team said in the security advisory. The attack can be launched remotely and a "modest number of requests" can consume significant amounts of memory and CPU on the server, according to the advisory.

The bug was first reported in 2007 on the bugtraq Website by Michal Zalewski, a Google security engineer. Zalewski had said at the time that launching a DoS attack taking advantage of the flaw would be simplistic.

"A lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator. Whoops?" he wrote in the initial report.

A researcher under the name of Kingcope posted about the bug on Full Disclosure last week. The post was accompanied by a Perl script to execute an attack that could exhaust the memory of a remote Apache server "rather quickly," Ryan Barnett, senior security researcher at Trustwave wrote on the SpiderLAbs Anterior blog Aug. 24.

When executed, the script sends malicious HTTP Range Request headers for large amounts of data. Apache breaks up large requests in smaller chunks, but the malicious request is sizeable enough that system resources get tied up processing each of the chunks, according to Barnett.

"It appears due to its lack of sophistication, that it did not get much attention by Apache developers and it has remained unpatched all of this time," said Kevin Shortt, an incident handler at SAN Institute's Internet Storm Center.

Trustwave added new rules to ModSecurity, a widely deployed Web application firewall, to mitigate the attack. The new ModSecurity rules are not intended to be a permanent fix, but a temporary measure as "the core issue should certainly be addressed within the Apache code itself," Barnett said.

Apache recommended that administrators "investigate whether they are vulnerable" to the DoS attack and provided several mitigation steps to protect Web servers until a patch is available.

Administrators can use mod_headers to disallow range headers altogether or use mod_rewrite to limit the number of ranges that are being handled, according to the advisory. However, mod_headers may break certain clients, such as those used by e-Readers and streaming Web video streaming.

They can also deploy a range header count module as a temporary stopgap measure or limit the size of the request field to a few hundred bytes to keep the Range header short. The change may affect sizable cookies and security fields. As threats evolve, the request field may need to be further limited, the team warned. It may also be possible to disable compression on the fly, by removing mod_deflate as a loaded module, according to the security advisory.

Administrators running a Mac-based server with Apache will have to wait for Apple to deliver a patch because that version of the Web Server is bundled inside Mac OS X and maintained by the operating system.