Article ID: 112153, created on Aug 31, 2011, last review on May 9, 2014

  • Applies to:
  • H-Sphere 3.4
  • H-Sphere 3.5

Description

A denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by the Apache HTTPD server (both versions):
 
     http://seclists.org/fulldisclosure/2011/Aug/175
 
An attack tool is circulating in the wild. Active use of this tools has
been observed.
 
The attack can be done remotely and with a modest number of requests can
cause very significant memory and CPU usage on the server.
 
The default Apache HTTPD installation is vulnerable.
 
There is currently no patch/new version of Apache HTTPD which fixes this
vulnerability. This advisory will be updated when a long term fix
is available.

Resolution

While the core issue should certianly be addressed within the Apache code itself, in the meantime, Parallels H-Sphere administrators could also use special rules for ModSecurity to mitigate this attack:
 
1.      Enable the apache_securityor the apache_security2 module for the web servers in the Parallels H-Sphere Control Panel (on the menu path: E.Manager → P.Servers → Physical Server Parameters)
2.      Download the attached shell script into a temporary directory on the web server.
3.      Run this script on the web server:
sh fix_killapache_issue.sh
4.      Reload httpd service:
·         on Linux
/etc/init.d/httpd reload
·         on FreeBSD
/usr/local/etc/rc.d/apache.sh restart
5.      Repeat 2 – 4 steps on the each web servers

Related links

http://www.securityfocus.com/bid/49303/info
http://seclists.org/fulldisclosure/2011/Aug/175
http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html
http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_rules/modsecurity_crs_20_protocol_violations.conf?view=log

Attachments

f90e90e234d2835301363089f6b828e5 f213b9fa8759d57bee5d547445806fe7 f51a27b0a406fdfb3fcda8033c7f914d 6311ae17c1ee52b36e68aaf4ad066387

Email subscription for changes to this article
Save as PDF