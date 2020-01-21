Denial-of-Service (DoS) vulnerability found in the popular open-source web application firewall (WAF) ModSecurity’s 3.0.x release line.

ModSecurity 3.0.x release line users are urged to update to the latest version to avoid exposure. Security professionals can also create their own custom rules or by deploying existing libraries. The vulnerability arises when the WAF technology attempts to parse a malformed cookie header. ModSecurity 2.x release line is not affected by the flaw.

Upgrade to v3.0.4

According to a ModSecurity Core Rule Set blog post, LibModSecurity 3.0.x still fails 2-3% of the tests. Problems may be caused by the engine itself or the connector module which links webserver with the tules engine. Trustwave, which manages ModSecurity published a detailed analysis of the issue a week after the update release.

CRS developer Ervin Hededüs said,

“CRS has a regression test case, where the request contains only a single string without `=` as HTTP Cookie. The failed result with modsecurity3 occurred because if the Cookie header parts didn’t contained `=`, then it wasn’t handled as cookie.”

CRS developer Andrea Menin said,

“Ervin reproduced both libModSecurity cookie parser and his patched version in a standalone binary that reads a cookie string from the first argument and parse it comparing the results between the “old” and the new parser. Ervin asked me to check his patch looking for other ways to bypass it. As you know, in a cookie string each name and value are separated by a = and each cookie name/value pairs are separated by a ;. After few tests, I started to put random sequences of ; and = trying to crash it. By sending ;=; nothing has happened but removing the first ; something went wrong.”

