Apache Confirms Web Server DoS Vulnerability, Promises Quick Patch
A denial-of-service tool that exploits a security flaw in the Apache Web server software is available in the wild. The Apache team is working on a fix and is expected to roll it out over the next few days.
Called "Apache Killer," the DoS tool appeared Aug. 19 on the "Full Disclosure" security mailing list. The Apache Software Foundation acknowledged on Aug. 24 that the vulnerability the tool targets existed, and promised a fix for Apache 2.0 and 2.2 "in the next 96 hours."
Apache is the most widely used Web server software in the world, accounting for 65.2 percent of all such software currently in use, according to United Kingdom-based security consultancy Netcraft. The Apache team said all versions of the software in the 1.3 and 2.0 lines have the DoS bug and are vulnerable to attack. Apache 1.3 is no longer supported and administrators should have moved on to more recent versions already.
"An attack tool is circulating in the wild. Active use of this tool has been observed," according to a security advisory from the Apache project.
The Web server software has a flaw in how multiple overlapping HTTP ranges are handled, the team said in the security advisory. The attack can be launched remotely and a "modest number of requests" can consume significant amounts of memory and CPU on the server, according to the advisory.
The bug was first reported in 2007 on the bugtraq Website by Michal Zalewski, a Google security engineer. Zalewski had said at the time that launching a DoS attack taking advantage of the flaw would be simplistic.
"A lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator. Whoops?" he wrote in the initial report.
A researcher under the name of Kingcope posted about the bug on Full Disclosure last week. The post was accompanied by a Perl script to execute an attack that could exhaust the memory of a remote Apache server "rather quickly," Ryan Barnett, senior security researcher at Trustwave wrote on the SpiderLAbs Anterior blog Aug. 24.
When executed, the script sends malicious HTTP Range Request headers for large amounts of data. Apache breaks up large requests in smaller chunks, but the malicious request is sizeable enough that system resources get tied up processing each of the chunks, according to Barnett.
"It appears due to its lack of sophistication, that it did not get much attention by Apache developers and it has remained unpatched all of this time," said Kevin Shortt, an incident handler at SAN Institute's Internet Storm Center.
To read the original eWeek article, click here: Apache Confirms DoS Vulnerability in Web Server, Promises Quick Patch