Issue fixed in latest version of popular web app firewall

UPDATED Users of the ModSecurity 3.0.x release line need to update to the latest version to avoid exposure to a recently resolved Denial-of-Service (DoS) vulnerability.

ModSecurity is a popular open source web application firewall (WAF) that’s configured to work by applying pre-set rules.

Security professionals can create their own custom rules or deploy existing libraries, such as those from the free-to-install OWASP ModSecurity Core Rule Set (CRS) project.

The ModSecurity 3.0.x release line suffers from a DoS vulnerability that stems from a segmentation fault on protected webservers that arises when the WAF technology attempts to parse a malformed cookie header.

ModSecurity 2.x is not affected.

The flaw might be characterized as a teething problem that stems from ongoing work finetuning LibModSecurity 3.0.x.

Look closer

ModSecurity 2.9 on Apache serves as a reference platform that passes an expanding list of over 2300 tests.

LibModSecurity 3.0.x still fails 2-3% of the tests either due to problems with the engine itself or the connector module that links the webserver with the rules engine, as a post on the ModSecurity Core Rule Set blog explains.

The DoS problem stemmed from the initial cookie parsing implementation in ModSecurity 3 rather the any issues in a recent patch, as incorrectly implied by the initial version of this article.

CRS developer Ervin Hegedüs, the researcher who developed the fix, told The Daily Swig: “The first patch fixed all the bugs (there were three different bugs, including the DoS. When tried my tool, we realized that there is a new [DoS bug] near the discovered two (cookie bypass) bugs. But the patch fixed this one too.”

“So, there was the patch first, and when we checked it's done, we found a new issue in old code - which was already fixed in new [software update].”

CRS developer Andrea Menin uncovered the DoS bug when he “started to throw random cookie headers at the code” (i.e. a form of testing using fuzzing) back in October.

This allowed him to uncover something beyond a difference between ModSec3 when compared to ModSec2, but a “DoS vulnerability affecting Nginx and other webservers”.

Menin informed ModSec’s core developers that the underlying issue had been resolved.

ModSecurity is an open source WAF engine maintained by Trustwave. The security technology is often used in conjunction with the Nginx webserver.

Although the CRS team pushed for early integration of the patch, which was developed in mid-November, ModSec’s core developers wanted to budget for more time and a release date for LibModSecurity 3.0.4 of January 13, 2020, was agreed.

A week after the release, Trustwave published a detailed analysis of the problem on the SpiderLabs blog.

RELATED ModSecurity: OWASP Core Rule Set update addresses denial-of-service vulnerability

This story was updated on 23 January to correct an oversight in the sequence of events and incorporate comment from CRS developer Ervin Hegedüs.