lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 14 Sep 2020 09:53:44 +0200
From: Christian Folini <christian.folini@...nea.com>
To: fulldisclosure@...lists.org
Subject: [FD] ModSecurity v3 affected by DoS (CVE-2020-15598)

ModSecurity v3.0.x is affected by a Denial of Service vulnerability due to the
global matching of regular expressions. The combination of a non-anchored
regular expression and the ModSecurity “capture” action can be exploited via a
specially crafted payload.

While ModSecurity v2.x used to quit the execution of a regular expression
after the first match. ModSecurity v3.0.x silently changed the behavior to
global matching. This results in a DoS for existing non-anchored regexes in
rules containing the “capture” action. It also fills the TX variable space
beyond the documented limit of 10 instances. The defense is handicapped due to
the absence of the SecRequestBodyNoFilesLimit directive. The vendor Trustwave
Spiderlabs dropped this functionality for ModSecurity v3.

The vendor did not publish a new release, but there is a patch that brings
back the former behavior.

CVSSv3: 7.5 HIGH 

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1

Exploitability Metrics:
* Attack Vector: Network
* Attack Complexity: Low
* Priviledges Required: None
* User Interaction: None
* Scope: Unchanged
Impact Metrics:
* Confidentiality Impact: None
* Integrity Impact: None
* Availability Impact: High

Weakness Enumeration: CWE-400: Uncontrolled Resource Consumption

Known Affected Software Configurations:

    ModSecurity v3.0.0
    ModSecurity v3.0.1
    ModSecurity v3.0.2
    ModSecurity v3.0.3
    ModSecurity v3.0.4 (patch for this version available

More Information: https://coreruleset.org/20200914/cve-2020-15598/
 

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists