Aug 242011
 

Thought I would share this quick fix ref CVE-2011-3192 with the POC available here:
http://seclists.org/fulldisclosure/2011/Aug/175

First, if you are an apache admin, get this fixed ASAP. I was able to take down a small test server with 7 http get requests.

Login to the server and run this command to see if you have mod_headers installed:

locate mod_headers

If you see mod_headers.so in that list, you can continue to Configuring Apache.  Otherwise go to Compiling Mod_Headers

Compiling Mod_Headers:
This will require the source code for the version of apache you are running, obtain that using httpd -v

Then with the source code downloaded and extracted, follow these steps:
cd </path_to/httpd_VERSION/modules/metadata/
</path_to/apxs -c mod_headers.c
/path_to/apxs -i -a -n headers mod_headers.la
ls -la </path_to/http/modules/

If it now shows mod_headers.so in the modules directory, go to Configuring Apache.

Configuring Apache

Open up httpd.conf and search for mod_headers. When you find the line that says:

LoadModule headers_module     modules/mod_headers.so

Insert this code under it:

<IfModule mod_headers.c>
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
CustomLog logs/range-CVE-2011-3192.log common env=bad-req-range
</IfModule>

Next, restart apache by finding the path to apachectl:
which apachectl
apachectl configtest

If there are no errors, restart apache:
apachectl restart

Debian-Based Distros
See Comments Below

Updates:
20110826 – added bad-req-range log
– the older netscape fix as suggested by Apache Foundation
– modified the SetEnvIf variable as per Apache Foundation

  4 Responses to “Quick Fix for Apache CVE-2011-3192”

  1. Under Ubuntu (and presumably any Debian based distribution)…

    Check to make sure that the headers module has been installed:

    locate mod_headers

    Then, add the config above to the headers module:

    echo "# As found at http://www.edwiget.name/2011/08/quick-fix-for-apache-cve-2011-3192/

    SetEnvIf Range (,.*?){5,} bad-range=1
    RequestHeader unset Range env=bad-range
    # optional logging.
    CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
    " | sudo tee /etc/apache2/mods-available/headers.conf

    And lastly, enable the module:

    a2enmod headers

  2. […] I have been aware of the Apache web server issue for the last few days, where an overly wide range is requested from the server, leading to a crash in the server. As a patch hasn’t yet been released by Apache, people are coding their own solutions, and one such solution was found at edwidget.name. […]