Developers fix ReDoS flaw in popular web app firewall library

Version 3.1.1 of the OWASP ModSecurity Core Rule Set (CRS) is now available. The release addresses potential denial-of-service shortcomings and other minor bugs.

As previously reported by The Daily Swig, April saw the disclosure of five vulnerabilities in the ModSecurity rule set, each of which was said to have the potential to take web servers offline.

The flaws, discovered by 20-year-old researcher Somdev Sangwan, were related to the rule set’s implementation of regular expressions (regex) – strings of text that allow developers to define search patterns.

Regex exploits leading to denial-of-service are known as ReDoS attacks.

Immediately after being alerted to the security shortcomings, the CRS development team embarked on fixes – something the project’s Christian Folini said was no small feat due to “inherent problems” in the technology.

Five become one

ModSecurity is a popular open source web application firewall (WAF) that’s designed to help stop attacks or unwanted behavior against applications by monitoring all HTTP traffic in real time.

The tool works through the implementation of WAF rules. Security professionals can create their own custom rules or deploy existing libraries, such as the free-to-install OWASP CRS.

Upon closer inspection of the ReDoS vulnerabilities that were disclosed by Sangwan, the CRS project’s maintainers found that only one of the flaws (CVE-2019-11387) had any real-world impact.

As anticipated, however, developing a patch was far from straightforward, as the developers had to fix the regex without changing the detection capabilities of the affected rules.

“We invested a lot of time in this,” Folini told The Daily Swig. “First we needed to look closely at which rules were really problematic and to what extent.

“Then we created many additional unit tests for the rules in question, and then we started to update the rules so they would no longer be affected by ReDoS but still catch the same payloads.”

Folini added: “The CVE is only affecting users of the libModSecurity 3 release line and only under special circumstances. However, we advise all users to upgrade to this latest stable CRS release.”

Version 3.1.1 of the OWASP ModSecurity Core Rule Set (CRS) can be installed via GitHub.

In addition to addressing the ReDoS flaw, the release includes minor bug fixes.

RELATED WAF reloaded: ModSecurity 3.1 showcased at Black Hat Asia