Mac Leopard Server and Range Header DoS Vulnerability Apache HTTPD CVE-2011-3192

During a recent security scan of our machines, we found that one Leopard server had this range header DoS vulnerability for  Apache web server (CVE-2011-3192). We updated the Leopard server with all the updates from Apple, but this problem still was not fixed. We had to do it manually to fix the problem.

According to the bulletin, the mitigation is to “Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the Range: header or reject the request.” Here is what I did on the Leopard server:

  1. Open Terminal application.
  2. Use a text editor (vi or pico) to edit the web server configuration file httpd.conf .
    sudo vi /etc/apache2/httpd.conf
  3. Append the following to the end of httpd.conf .
    # Drop the Range header when more than 5 ranges.
    # CVE-2011-3192
    SetEnvIf Range (?:,.*?){5,5} bad-range=1
    RequestHeader unset Range env=bad-range
    
    # We always drop Request-Range; as this is a legacy
    # dating back to MSIE3 and Netscape 2 and 3.
    #
    RequestHeader unset Request-Range
  4. Save the file.
  5. Restart the web server.


This post may contain affiliated links. When you click on the link and purchase a product, we receive a small commision to keep us running. Thanks.


Be the first to comment

Leave a Reply