Security Advisory --------------------------------------- Vulnerable Software: Artofdefence Hyperguard Web Application Firewall Vulnerable Version: 3 branches: prior to 3.1.1-11637; prior to 3.0.3-11636; prior to 2.5.5-11635 (Apache Plug-in) Homepage: http://www.artofdefence.com/ Found by: Michael Kirchner, Wolfgang Neudorfer, Lukas Nothdurfter (Team h4ck!nb3rg) Impact: Remote Denial of Service Product Description --------------------------------------- Hyperguard is a latest-generation enterprise Web application firewall with attack detection and attack protection functions that are freely configurable. Hyperguard enables centralised security monitoring, reporting and alerting and provides custom protection for your Web applications against external attacks. [Source: http://www.artofdefence.com/en/hyperguard/hyperguard.html] Vulnerability Description --------------------------------------- The Artofdefence Hyperguard Web Application Firewall operates as a reverse proxy module between the clients and the web server to be protected. All HTTP requests are checked before being forwarded to the web server. By sending specially crafted HTTP POST requests an attacker is able to trigger high memory usage on the WAF. By repeatedly sending the request the available memory is exhausted resulting in a kernel panic and therefore a denial of service. The vulnerability can be triggered by sending HTTP POST requests with a high "Content-Length" header value set but without transmitting any content. Artofdefence Hyperguard is available as a plug-in for several web servers. The vulnerability was confirmed in connection with the Apache web server module. Other modules have not been tested. Proof of Conept --------------------------------------- With 1 GB of free memory available on the WAF the kernel panic occured after sending ~350 crafted requests. Vulnerable Versions --------------------------------------- The tested version was of the 3.1.1 branch prior to 3.1.1-11637. According to the vendor the other two branches were also vulnerable (see version description in the header). Patch --------------------------------------- The vendor provides an updated version of the product for all three branches (see version description in the header). Contact Timeline --------------------------------------- 2009-05-22: Vendor informed 2009-05-22: Inital vendor reply 2009-05-25: Vulnerability confirmed 2009-05-29: Patched version available 2009-07-01: Public release Further information --------------------------------------- Information about the web application firewall project this advisory originates from can be found at: http://www.h4ck1nb3rg.at/wafs/