UA-Parser Denial Of Service

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
X41 D-SEC GmbH Security Advisory: X41-2018-009  
  
ReDoS Vulnerability in UA-Parser  
================================  
Severity Rating: Medium  
Confirmed Affected Versions: 2015-05-14 and newer, commit  
6fd6c261274254bcbbacd77ef4b12534c7f9923d  
Confirmed Patched Versions: v0.6.0 released 2018-12-14, commit  
010ccdc7303546cd22b9da687c29f4a996990014  
Vendor: UA-Parser Project  
Vendor URL: https://github.com/ua-parser  
Vector: HTTP request  
Credit: X41 D-SEC GmbH, Luc Gommans  
Status: Public  
CVE: CVE-2018-20164  
CVSSv3 Score: 5.3  
CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L  
Advisory-URL:  
https://www.x41-dsec.de/lab/advisories/x41-2018-009-uaparser/  
  
Summary and Impact  
==================  
The programming library UA-Parser uses regular expressions to identify  
user agent strings. The complexity of some of the regular expressions  
is such that an attacker can craft special patterns that keep the  
server busy for a long time. By sending many requests in short order,  
an attacker can exhaust the amount of processing power available. This  
causes the website to become unavailable for legitimate visitors.  
  
In common setups, the user agent string is parsed whenever a page is  
visited. This means that anyone can abuse the bug, typically without  
authentication. There are no common circumstances which would prevent  
an attack from working reliably, i.e. an attacker can consistently and  
repeatedly exploit the issue until the site has become unreachable.  
For more information on regular expression-based denial of service,  
see the OWASP page on ReDoS:  
  
https://www.owasp.org/index.php/RegularexpressionDenialofService-ReDoS  
  
The UA-Parser project consists of a core repository, uap-core, and  
implementations in various languages. The regular expressions are  
defined in the core project and each implementation is automatically  
vulnerable.  
  
Product Description  
===================  
When a user agent (such as a browser) connects to a website, it  
identifies itself with a 'user agent string'. This string helps the  
server determine relevant content, for example to serve the  
appropriate installer for visitors with different operating systems.  
The UA-Parser project collects regular expressions that extract the  
type of device and operating system from these strings.  
Implementations in different languages are automatically vulnerable,  
including the reference implementation in JavaScript:  
<https://github.com/ua-parser/uap-ref-impl>  
  
Proof of Concept  
================  
There are multiple vulnerable regular expressions. They are collected  
in the file regex.yaml, for example on lines 911 and 4961. The regular  
expression on line 911 is as follows:  
  
(x86_64|aarch64)\ (\d+)+\.(\d+)+\.(\d+)+.*Chrome.*(?:CitrixChromeApp)$  
  
Any implementation using this library will hang for a few seconds (on  
comodity hardware) when sending the following HTTP request:  
  
GET / HTTP/1.0  
User-Agent: x86_64 1111111111111111111111111111  
  
Normal user agent strings can be over a hundred bytes long: this  
string of 35 bytes is not an abnormal request. Adding one more byte  
makes the processing significantly longer.  
This particular regular expression was introduced in September 2018. The  
regular expression on line 4961 was introduced in May 2015 and can be  
exploited as follows:  
  
GET / HTTP/1.0  
User-Agent:  
HbbTV/1.1.1CE-HTML/1.1;THOM;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;LF  
  
Each additional repetition of SW-Version/1; will multiply the  
processing time by roughly a factor 6.2. Where eleven repetitions take  
about seven seconds, fourteen repetitions already occupy a server for  
half an hour.  
  
Workarounds  
===========  
As demonstrated, the input does not have to be particularly long to  
exploit the issue. This may be the case, and a few hundred kilobytes  
may slow down most regular expressions, but limiting the maximum  
length is not a solution by itself.  
The root cause is the regular expression, which should be limited in  
complexity. This involves manual work and there is no solution that  
can be applied to all regular expressions in the project.  
  
To aid in identifying problematic regular expressions, one may use  
projects such as <https://github.com/jagracey/RegEx-DoS>.  
  
Timeline  
========  
2018-11-26 Issue found.  
2018-11-29 Permission from customer to disclose to upstream.  
2018-11-29 Requested secure channel from vendor for communication.  
2018-12-04 Disclosed to vendor.  
2018-12-14 Patch released by vendor, CVE number requested.  
2018-12-15 CVE-2018-20164 assigned.  
2019-01-10 Advisory released.  
  
About X41 D-SEC GmbH  
====================  
X41 is an expert provider for application security services.  
Having extensive industry experience and expertise in the area of  
information security, a strong core security team of world class  
security experts enables X41 to perform premium security services.  
Fields of expertise in the area of application security are  
security-oriented code reviews, binary reverse engineering, and  
vulnerability discovery. Custom research, IT security consulting, and  
support services are core competencies of X41.  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlw3hqoACgkQo5Klpg50  
CxArWxAAkcs4jVv+2HPRBRO5BgajfRlEmCnDY31WM3hyh3XpzgxN9dONKT5PbR18  
5wa2tVsoEDUY4BaUTS4w9no61aGxBJcvl4Xlouz0zecfgUfSGajRLmshSpqanxM2  
eOUYl9aai35A65R2Oc6O4z/BLxe7ldi/Y1A1/ZA+Dh6V7kYnabr3C5up+rsagDul  
6TISvqIFAj46m6ZhIiwFFXwIQ3k7rMM8sLzsvmzUsHAdFTfJvV15sW5KoHm5FhNp  
568oOi7eimULwvFj1+88LzEfAZz/gC6nrTGbKrCZ5WnGVI59ltnLudCxkN5Dk6Zc  
63Ygm3/YTfjFsQU9YG0qcuk55E6r2FYFBQvYGL5KWytraC1T+LaUQvZl5Ni3gO6b  
/XOwiOaarxPhTnYuCc4wE/d3tiQ/h8h6iA0SiNNJOYtJBWEd4VLFC6dHb3kMXOYL  
VlBsszwPnPH4ee5l5ZsOnsmkw0JI7Yzqmvtx7FH0sUdyzFSnmRUrrmSABu/REEqz  
iWJwzrXMUEy7W9Ywt5S39fUqah+QiTgLhESaKoJ/USfuc+IpbJQ2dJMWZJApNHcR  
0iadgmYHtdgShYwtLlre4Zf4l3r8Lm3TewUsUYOKdd50AMvL5zZtl4O18WOnQUH9  
B57oJ5ZuHl+hZFPFLYikzyZfZ3iOhslDFu7QeNxtzLACT362gKA=  
=RxfQ  
-----END PGP SIGNATURE-----  
`