VeriSign, Inc.® US Home | Worldwide Sites | Site Map
Products & Services Solutions Support About VeriSign Login for existing VeriSign customers
You Are Here: US Home > VeriSign iDefense Security Intelligence Service > Current Intelligence > Vulnerability Advisories > 2003 > 04.08.03

Denial of Service in Apache HTTP Server 2.x

I. BACKGROUND

The Apache Software Foundation's HTTP Server Project is an effort to develop and maintain an open-source web server for modern operating systems including Unix and Microsoft Corp.'s Windows. More information is available at http://httpd.apache.org/ .

II. DESCRIPTION

Remote exploitation of a memory leak in the Apache HTTP Server causes the daemon to over utilize system resources on an affected system. The problem is HTTP Server's handling of large chunks of consecutive linefeed characters. The web server allocates an eighty-byte buffer for each linefeed character without specifying an upper limit for allocation. Consequently, an attacker can remotely exhaust system resources by
generating many requests containing these characters.

III. ANALYSIS

While this type of attack is most effective in an intranet setting, remote exploitation over the Internet, while bandwidth intensive, is feasible. Remote exploitation could consume system resources on a targeted system and, in turn, render the Apache HTTP daemon unavailable. iDEFENSE has performed research using proof of concept exploit code to demonstrate the impact of this vulnerability. A successful exploitation scenario requires
between two and seven megabytes of traffic exchange.

IV. DETECTION

Both the Windows and Unix implementations of Apache HTTP Server 2.0.44 are
vulnerable; all 2.x versions up to and including 2.0.44 are most likely vulnerable as well.

V. VENDOR FIX/RESPONSE

Apache HTTP Server 2.0.45, which fixes this vulnerability, can be downloaded at http://httpd.apache.org/download.cgi . This release introduces a limit of 100 blank lines accepted before an HTTP connection is discarded.

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0132 to this issue.

VII. DISCLOSURE TIMELINE

01/23/2003 Issue disclosed to iDEFENSE
03/06/2003 security@apache.org contacted
03/06/2003 Response from Lars Eilebrecht
03/11/2003 Status request from iDEFENSE
03/13/2003 Response received from Mark J Cox
03/23/2003 Response received from Brian Pane
03/25/2003 iDEFENSE clients notified
04/08/2003 Coordinated Public Disclosure


Need more information?
Speak with a service representative at 650-426-5310 Request information online


Contact Us
Please contact sales at
650-426-5310 or
submit your inquiry online.
VeriSign iDefense Security Intelligence Service
Security Intelligence Service Levels
Alerts, Reports, and Briefings
Methodology
Research and Response Teams
Current Intelligence
Topical Research Reports
Vulnerability Advisories
Malicious Code Advisories
Information Center
Security Intelligence Webcasts
Proactive Security Intelligence
Intelligence for Patch Management
Early Threat Warning
Contact Us Careers Legal Notices Privacy Repository ©1995-2007 VeriSign, Inc. All rights reserved.
Products & Services  :  Solutions  :  Support  :  About VeriSign  :  Existing Customers
US Home  :  Worldwide Sites  :  Site Map  :  Search
VeriSign (Nasdaq: VRSN) operates intelligent infrastructure services that enable and protect billions of interactions across the world's voice and data networks. VeriSign offerings include SSL Certificates, two-factor authentication, identity protection, managed network security, public key infrastructure (PKI), security consulting, information management, as well as solutions for intelligent communications, commerce, and content. VeriSign is also building next-generation service offerings for emerging opportunities such as RFID-enabled supply chains, VoIP technology, and digital-content distribution over mobile and broadband networks.