ModSecurity up to 3.0.4 resource consumption ⚔ [Disputed]

Summaryinfo

A vulnerability classified as problematic has been found in ModSecurity 3.0.0/3.0.1/3.0.2/3.0.3/3.0.4. Affected by this issue is some unknown functionality. The manipulation leads to resource consumption. This vulnerability is uniquely identified as CVE-2020-15598. The attack is possible to be carried out remotely. Moreover, an exploit is present. The real existence of this vulnerability is still doubted at the moment. It is suggested to install a patch to address this issue.

Detailsinfo

A vulnerability was found in ModSecurity 3.0.0/3.0.1/3.0.2/3.0.3/3.0.4. It has been rated as problematic. This issue affects some unknown processing. The manipulation with an unknown input leads to a resource consumption vulnerability. Using CWE to declare the problem leads to CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Impacted is availability. The summary by CVE is:

Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can result in a Denial of Service condition. The vendor does not consider this as a security issue because1) there is no default configuration issue here. An attacker would need to know that a rule using a potentially problematic regular expression was in place, 2) the attacker would need to know the basic nature of the regular expression itself to exploit any resource issues. It's well known that regular expression usage can be taxing on system resources regardless of the use case. It is up to the administrator to decide on when it is appropriate to trade resources for potential security benefit

The weakness was disclosed 09/14/2020 by Ervin Hegedüs as confirmed mailinglist post (Full-Disclosure). The advisory is shared at seclists.org. The public release has been coordinated in cooperation with the project team. The identification of this vulnerability is CVE-2020-15598. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are unknown but a private exploit is available. MITRE ATT&CK project uses the attack technique T1499 for this issue. The following code is the reason for this vulnerability:

do { rc = pcre_exec(m_pc, …) … } while (rc > 0)

A private exploit has been developed by Ervin Hegedüs. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 91 days. During that time the estimated underground price was around $0-$5k. The real existence of this vulnerability is still doubted at the moment.

Applying the patch cve-2020-15598.patch is able to eliminate this problem. The bugfix is ready for download at gist.githubusercontent.com. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Name

• ModSecurity

Version

• 3.0.0
• 3.0.1
• 3.0.2
• 3.0.3
• 3.0.4

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion