ÈÐ Wïgê† Ðð† ñåmê

ïñ£ð§ê¢, ïñ£ðrmå†ïðñ §ê¢µr, Ðïgï†ål £ðrêñ§ï¢§, hå¢kïñg, §¥§†êm åÐmïñ阮rå†ïðñ, lïñµx ßlðg

Quick Fix for Apache CVE-2011-3192

, , , , ,

Thought I would share this quick fix ref CVE-2011-3192 with the POC available here:
http://seclists.org/fulldisclosure/2011/Aug/175

First, if you are an apache admin, get this fixed ASAP. I was able to take down a small test server with 7 http get requests.

Login to the server and run this command to see if you have mod_headers installed:

locate mod_headers

If you see mod_headers.so in that list, you can continue to Configuring Apache.  Otherwise go to Compiling Mod_Headers

Compiling Mod_Headers:
This will require the source code for the version of apache you are running, obtain that using httpd -v

Then with the source code downloaded and extracted, follow these steps:
cd </path_to/httpd_VERSION/modules/metadata/
</path_to/apxs -c mod_headers.c
/path_to/apxs -i -a -n headers mod_headers.la
ls -la </path_to/http/modules/

If it now shows mod_headers.so in the modules directory, go to Configuring Apache.

Configuring Apache

Open up httpd.conf and search for mod_headers. When you find the line that says:

[codesyntax lang=”bash”]

LoadModule headers_module     modules/mod_headers.so

[/codesyntax]

Insert this code under it:

[codesyntax lang=”bash”]
<IfModule mod_headers.c>
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range

# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
CustomLog logs/range-CVE-2011-3192.log common env=bad-req-range
</IfModule>
[/codesyntax]

Next, restart apache by finding the path to apachectl:
which apachectl
apachectl configtest

If there are no errors, restart apache:
apachectl restart

Debian-Based Distros
See Comments Below

Updates:
20110826 – added bad-req-range log
– the older netscape fix as suggested by Apache Foundation
– modified the SetEnvIf variable as per Apache Foundation

4 responses to “Quick Fix for Apache CVE-2011-3192”

  1. JonTheNiceGuy Avatar
    JonTheNiceGuy

    Under Ubuntu (and presumably any Debian based distribution)…

    Check to make sure that the headers module has been installed:

    locate mod_headers

    Then, add the config above to the headers module:

    echo "# As found at http://www.edwiget.name/2011/08/quick-fix-for-apache-cve-2011-3192/

    SetEnvIf Range (,.*?){5,} bad-range=1
    RequestHeader unset Range env=bad-range
    # optional logging.
    CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
    " | sudo tee /etc/apache2/mods-available/headers.conf

    And lastly, enable the module:

    a2enmod headers

    1. JonTheNiceGuy Avatar
      JonTheNiceGuy

      Damn, that code should have been:

      # As found at http://www.edwiget.name/2011/08/quick-fix-for-apache-cve-2011-3192/
      <IfModule mod_headers.c>
      SetEnvIf Range (,.*?){5,} bad-range=1
      RequestHeader unset Range env=bad-range
      # optional logging.
      CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
      </IfModule>

      1. edwigetadmin Avatar
        edwigetadmin

        Thanks for your contribution

        I might add that the instructions I presented were for custom compiled apache on RHEL/CENTOS 5.6 and other source based distributions (gentoo, sabayon, arch, etc)

        Ed

  2. Quick Fix for Apache CVE-2011-3192 – Ubuntu/Debian – A nice guy's view on life

    […] I have been aware of the Apache web server issue for the last few days, where an overly wide range is requested from the server, leading to a crash in the server. As a patch hasn’t yet been released by Apache, people are coding their own solutions, and one such solution was found at edwidget.name. […]

Leave a Reply