Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Apache HTTPD Ranges Header Field Denial of Service (CVE-2011-3192)

Subscribe

Check Point Reference: CPAI-2011-402
Date Published:
Severity:
Source: Apache HTTPD Security ADVISORY
Industry Reference(s): CVE-2011-3192
Protection Provided by: Security Gateway
  • R75
  • R71
  • R70
Who is Vulnerable?
Apache 1.3 all versions
Apache 2 all versions
Vulnerability Description
A denial of service vulnerability has been reported in Apache httpd server. Successful exploitation may cause the server to become unresponsive, resulting in a denial of service condition.
Vulnerability Details
The vulnerability is due to an error in Apache's http server while handling requests with malformed Range header values. A remote attacker could exploit this vulnerability by sending a series of specially crafted HTTP requests to a vulnerable server.

Protection Overview
This protection will detect and block attempts to transfer malicious requests to the server.

No update is required to address this vulnerability.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R75 / R71 / R70

How Can I Protect My Network?

  1. In the IPS tab, click Protections and find the Header Rejection protection using the Search tool. 
  2. Click on Edit 

     
  3. Add another Application. 
    1. Use 'Range' for the Header Name field
    2. Use this for the Header Value field:
      bytes= *[0-9]*-[0-9]* *, *[0-9]*-[0-9]* *, *[0-9]*-[0-9]* *, *[0-9]*-[0-9]* *, *[0-9]*-[0-9]* *, *[0-9]*-[0-9]* *,
    3. And name the new application

  4. In the Protection Details window, select the required profile and then click on Edit. 
  5. Make sure the protection is activated for this profile. Override the profile default action if needed.
  6. Select Apply to all HTTP traffic or select specific web servers to protect 
  7. Check and activate the new Application

     
  8. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Header Rejection
Attack Information: WSE0100001 header rejection pattern found in request