CVE-2014-5336 in HTTP Daemon
Summary
by MITRE
Monkey HTTP Server before 1.5.3, when the File Descriptor Table (FDT) is enabled and custom error messages are set, allows remote attackers to cause a denial of service (file descriptor consumption) via an HTTP request that triggers an error message.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/28/2022
The vulnerability identified as CVE-2014-5336 affects the Monkey HTTP Server version 1.5.3 and earlier, representing a significant security flaw that can lead to denial of service conditions. This issue specifically manifests when the File Descriptor Table (FDT) feature is enabled alongside custom error message configurations, creating a scenario where malicious actors can exploit the server's error handling mechanism to consume excessive file descriptors.
The technical root cause of this vulnerability lies in how the Monkey HTTP Server processes error conditions when FDT is active. When an HTTP request triggers an error condition, the server's custom error message handling routine fails to properly manage file descriptor allocation and deallocation. This flaw creates a resource exhaustion scenario where each malicious request consumes additional file descriptors without proper cleanup, eventually leading to the server exhausting its available file descriptor limit and becoming unresponsive to legitimate requests.
From an operational perspective, this vulnerability presents a serious threat to web server availability and system stability. Attackers can systematically consume file descriptors by sending carefully crafted HTTP requests that consistently trigger error conditions, effectively rendering the web server incapable of serving legitimate requests. The impact extends beyond simple service disruption as this vulnerability can affect not only the targeted web server but potentially impact the entire system by exhausting system-wide file descriptor limits, affecting other running processes and services.
The vulnerability aligns with CWE-400, which addresses "Uncontrolled Resource Consumption," and demonstrates how improper resource management in error handling routines can lead to denial of service conditions. This weakness can be exploited through techniques categorized under ATT&CK tactic TA0040, specifically "Resource Hijacking," where adversaries consume system resources to deny service to legitimate users. The attack vector requires minimal sophistication as it only necessitates sending HTTP requests that trigger error conditions, making it particularly dangerous in production environments where the server may be exposed to untrusted network traffic.
Organizations should implement immediate mitigations including upgrading to Monkey HTTP Server version 1.5.3 or later, which contains the necessary patches to address the file descriptor management issue. Additionally, administrators should disable the File Descriptor Table feature if it is not essential for their specific use case, and implement proper monitoring to detect unusual file descriptor consumption patterns. Network-level protections such as rate limiting and request filtering can also help mitigate the impact of such attacks by limiting the number of requests that can trigger error conditions within a given time period, thereby preventing rapid exhaustion of available file descriptors.