Apache Range header vulnerability - CVE-2011-3192

2013-09-12T04:10:00
ID F5:K13114
Type f5
Reporter f5
Modified 2019-06-06T18:27:00

Description

F5 Product Development has assigned ID 366505 (BIG-IP and Enterprise Manager) and ID 366621 (ARX) to this vulnerability. To determine if your release is known to be vulnerable, and for information about releases or hotfixes that resolve the vulnerability, refer to the following table:

Product | Versions known to be Vulnerable | Versions known to be Not Vulnerable | Vulnerable component or feature
---|---|---|---
BIG-IP LTM | 9.0.0 - 9.4.8
10.0.0 - 10.2.2
11.0.0
| 10.2.2-HF3
10.2.3 and later
11.0.0-HF1
11.1.0 and later
| Configuration utility

Virtual servers are not vulnerable, but may proxy exploits to vulnerable servers
BIG-IP GTM | 9.2.2 - 9.4.8
10.0.0 - 10.2.2
11.0.0 | 10.2.2-HF3
10.2.3 and later
11.0.0-HF1
11.1.0 and later
| Configuration utility
BIG-IP ASM | 9.2.0 - 9.4.8
10.0.0 - 10.2.2
11.0.0 | 10.2.2-HF3
10.2.3 and later
11.0.0-HF1
11.1.0 and later
| Configuration utility

Virtual servers are not vulnerable, but may proxy exploits to vulnerable servers
BIG-IP Link Controller | 9.2.2 - 9.4.8
10.0.0 - 10.2.2
11.0.0
| 10.2.2-HF3
10.2.3 and later
11.0.0-HF1
11.1.0 and later
| Configuration utility

Virtual servers are not vulnerable, but may proxy exploits to vulnerable servers
BIG-IP WebAccelerator | 9.4.0 - 9.4.8
10.0.0 - 10.2.2
11.0.0 | 10.2.2-HF3
10.2.3 and later
11.0.0-HF1
11.1.0 and later
| Configuration utility

Virtual servers are not vulnerable, but may proxy exploits to vulnerable servers
BIG-IP PSM | 9.4.0 - 9.4.8
10.0.0 - 10.2.2
11.0.0 | 10.2.2-HF3
10.2.3 and later
11.0.0-HF1
11.1.0 and later
| Configuration utility

Virtual servers are not vulnerable, but may proxy exploits to vulnerable servers
BIG-IP WOM | 10.0.0 - 10.2.2
11.0.0 | 10.2.2-HF3
10.2.3 and later
11.0.0-HF1
11.1.0 and later
| Configuration utility

Virtual servers are not vulnerable, but may proxy exploits to vulnerable servers
BIG-IP APM | 10.1.0 - 10.2.2
11.0.0 | 10.2.2-HF3
10.2.3 and later
11.0.0-HF1
11.1.0 and later
| Configuration utility

Virtual servers are not vulnerable, but may proxy exploits to vulnerable servers
BIG-IP Edge Gateway
| 10.1.0 - 10.2.2
11.0.0 | 10.2.2-HF3
10.2.3 and later
11.0.0-HF1
11.1.0 and later
| Configuration utility

Virtual servers are not vulnerable, but may proxy exploits to vulnerable servers
BIG-IP Analytics
| 11.0.0 | 11.0.0-HF1
11.1.0 and later
| Configuration utility

BIG-IP AFM | None | 11.3.0 and later | None
BIG-IP PEM
| None | 11.3.0 and later | None
BIG-IP AAM | None | 11.4.0 and later | None
FirePass | None | 6.x
7.x | None
Enterprise Manager | 1.7.0 - 1.8.0
2.0.0 - 2.2.0
| 2.3.0 and later
3.x
| Configuration utility

ARX | 5.0.0 - 5.3.1
6.0.0 - 6.1.1 | 6.2.0 and later
| API (disabled by default)

BIG-IP 11.x

To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be Not Vulnerable column of the table.

To mitigate this vulnerability, you can unset suspect Range and Request-Range headers in inbound requests. To do so, perform the following procedure:

Impact of procedure: The Range header will be removed from a request only when more than five ranges are specified and the Request-Range header will be removed from all requests.

  1. Log in to the Traffic Management Shell (tmsh) by entering the following command:

tmsh

Note: If you are currently logged in to the tmsh shell, you can skip this step. 2. Modify the configuration of the httpd service by typing the following command:

edit sys httpd 3. The previous command opens a text editor that you can use to modify the configuration of the httpd service. The text editor displays the following line:

modify httpd { } 4. Replace the above line with the following lines:

modify httpd {
include "

CVE-2011-3192

Drop the Range header when more than 5 ranges

SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
RequestHeader unset Request-Range"
} 5. Save the file using the name suggested by the text editor (for example, /var/tmp/tmsh/2tKkrO/data). 6. Upon exiting the text editor, the tmsh displays the following prompt:

Save changes? (y/n/e) 7. Save the changes by typing the following:

y 8. Save the configuration by typing the following command:

save sys config 9. Restart the httpd service by typing the following command:

restart sys service httpd

BIG-IP 10.1.0 through 10.2.2

To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be Not Vulnerable column of the table.

To mitigate this vulnerability, you can unset suspect Range and Request-Range headers in inbound requests. To do so, perform the following procedure:

Impact of procedure: The Range header will be removed from a request only when more than five ranges are specified and the Request-Range header will be removed from all requests.

  1. Log in to the BIG-IP system command line.
  2. Change directories to the /var/tmp directory by typing the following command:

cd /var/tmp 3. Using a text editor, create a new file named CVE-2011-3192 and paste the following lines into it:

httpd include "

CVE-2011-3192

Drop the Range header when more than 5 ranges

SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
RequestHeader unset Request-Range"

  1. Save the new file.
  2. Merge the CVE-2011-3192 file into the BIG-IP system configuration by typing the following command:

bpsh < CVE-2011-3192 6. Save the configuration by typing the following command:

bigpipe save all

  1. Restart the httpd service by typing the following command:

bigstart restart httpd

BIG-IP 9.4.2 through 10.0.1

To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be Not Vulnerable column of the table.

To mitigate this vulnerability, you can unset all Range and Request-Range headers in inbound requests. To do so, perform the following procedure:

Impact of procedure: The Range and Request-Range headers will be removed from all requests.

  1. Log in to the BIG-IP system command line.
  2. Change directories to the /var/tmp directory by typing the following command:

cd /var/tmp 3. Using a text editor, create a new file named CVE-2011-3192 and paste the following lines into it:

httpd include "

CVE-2011-3192

RequestHeader unset Range
RequestHeader unset Request-Range"

  1. Save the new file.
  2. Merge the CVE-2011-3192 file into the BIG-IP system configuration by typing the following command:

bpsh < CVE-2011-3192 6. Save the configuration by typing the following command:

bigpipe save all 7. Restart the httpd service by typing the following command:

bigstart restart httpd

BIG-IP 9.0.0 through 9.4.1

To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be Not Vulnerable column of the table.

To mitigate this vulnerability, you can unset all Range and Request-Range headers in inbound requests. To do so, perform the following procedure:

Impact of procedure: The Range and Request-Range headers will be removed from all requests.

  1. Log in to the BIG-IP system command line.
  2. Change directories to the /config/httpd/conf directory by typing the following command:

cd /config/httpd/conf 3. Back up the original httpd.conf file by typing the following command:

cp httpd.conf httpd.conf.bak 4. Open the httpd.conf file in a text editor. 5. Add the following lines to the end of the file:

CVE-2011-3192

RequestHeader unset Range
RequestHeader unset Request-Range

  1. Save the httpd.conf file.
  2. Restart the httpd service by typing the following command:

bigstart restart httpd

Configure BIG-IP virtual servers to protect vulnerable back-end Apache servers

While the BIG-IP virtual servers are not vulnerable, the BIG-IP system will proxy exploits to vulnerable Apache servers behind the BIG-IP system. You can protect these servers by removing the Range header from all requests. To do so, apply an iRule containing the following logic to each BIG-IP virtual server:

Impact of recommended action: The Range header will be removed from all requests.

when HTTP_REQUEST {
# remove Range requests for CVE-2011-3192
HTTP::header remove Range
HTTP::header remove Request-Range
}

It is possible to use a custom BIG-IP ASM attack signature or more sophisticated iRule logic to protect back-end Apache servers. For more information, refer to the DevCentral article referenced in the Supplemental Information section.

FirePass

  • None

Enterprise Manager 2.x

To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be Not Vulnerable column of the table.

To mitigate this vulnerability, you can unset suspect Range and Request-Range headers in inbound requests. To do so, perform the following procedure:

Impact of procedure: The Range header will be removed from a request only when more than five ranges are specified and the Request-Range header will be removed from all requests.

  1. Log in to the Enterprise Manager system command line.
  2. Change directories to the /var/tmp directory by typing the following command:

cd /var/tmp 3. Using a text editor, create a new file named CVE-2011-3192 and paste the following lines into it:

httpd include "

CVE-2011-3192

Drop the Range header when more than 5 ranges

SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
RequestHeader unset Request-Range" 4. Save the new file. 5. Merge the CVE-2011-3192 file into the BIG-IP system configuration by typing the following command:

bpsh < CVE-2011-3192 6. Save the configuration by typing the following command:

bigpipe save all 7. Restart the httpd service by typing the following command:

bigstart restart httpd

Enterprise Manager 1.x

To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be Not Vulnerable column of the table.

To mitigate this vulnerability, you can unset suspect Range and Request-Range headers in inbound requests. To do so, perform the following procedure:

Impact of procedure: The Range and Request-Range headers will be removed from all requests.

  1. Log in to the Enterprise Manager system command line.
  2. Change directories to the /config/httpd/conf directory by typing the following command:

cd /config/httpd/conf 3. Back up the original httpd.conf file by typing the following command:

cp httpd.conf httpd.conf.bak 4. Open the httpd.conf file in a text editor. 5. Add the following lines to the end of the file:

CVE-2011-3192

RequestHeader unset Range
RequestHeader unset Request-Range 6. Save the httpd.conf file. 7. Restart the httpd service by typing the following command:

bigstart restart httpd

ARX

To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be Not Vulnerable column of the table.

To mitigate this vulnerability, do not enable the API functionality.

Note: This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.