ReDoS flaws discovered in OWASP Core Rule Set

A clutch of unpatched vulnerabilities in ModSecurity’s OWASP Core Rule Set has left potentially thousands of web servers open to denial-of-service (DoS) attacks.

ModSecurity is a popular open source web application firewall (WAF) that’s designed to help stop attacks or unwanted behavior against applications by monitoring all HTTP traffic in real time.

The tool works through the implementation of WAF rules. Security professionals can create their own custom rules or deploy existing libraries, such as the free-to-install OWASP Core Rule Set.

It was this open source library that caught the attention of Somdev Sangwan, a 20-year-old researcher from India, who recently disclosed five vulnerabilities in the rule set, each of which has the potential to take web servers offline.

According to Sangwan, the vulnerabilities are all related to the Core Rule Set’s implementation of regular expressions (regex) – strings of texts that allow developers to define search patterns.

Regex exploits leading to denial-of-service are known as ReDoS attacks.

“I have been spending a good amount of time writing ReDoS exploits and studying WAFs lately,” Sangwan explained in a blog post published earlier this week.

“To practice my skills in the real world, I chose [the] ModSecurity Core Rule Set because it has tons of regular expressions, and on top of that these regular expressions are being used by WAFs in the wild to detect attacks.”

The researcher’s intuition paid off, as he found that specially crafted strings could overwhelm the Core Rule Set’s regex engine, causing web servers to grind to a halt.

First line of defense

The OWASP Core Rule Set for ModSecurity is pegged as a “first line of defense” against generic web attacks, including SQL injection, cross-site scripting, and local file inclusion.

Commercial rule libraries are also available, which are said to offer protection against specific vulnerabilities and provide fewer false positives.

Although the exact number of Apache, Nginx, and IIS web servers running the Core Rule Set is not known, this is likely to run well into the thousands, given the free and open source nature of the project.

CVEs have been assigned to each of the five vulnerabilities, but at the time of writing the flaws remain unpatched in the Core Rule Set.

“They haven’t patched [the vulnerabilities] yet,” Sangwan told The Daily Swig. “I have suggested fixes, but there is still a discussion going on in hopes of finding a robust solution to prevent such attacks in the future.”

The researcher added: “It should be noted that I haven’t released the full exploit strings yet because the vulnerabilities still exist and can be abused.

“The exploits mentioned in my blog are just for the vulnerable parts of the regular expressions and won’t have any effect on an implementation of ModSecurity.”

Sangwan added: “ModSecurity users will be completely safe against these exploits once the suggested changes are made to the rule set and the users update their rule set afterwards.”

An inherent problem

Discussing the vulnerabilities, Christian Folini from the Core Rule Set project said that protection from web application attacks by means of regular expression pattern matching is “resource intense”, and that mitigations to the ReDoS exploits are ongoing.

“DoS is an inherent problem of the technology,” Folini told The Daily Swig. “But people writing the rules can reduce the problem by writing advanced rules that steer clear of the ReDoS problem.

“However, things get quite hairy when you consider that some of our rules are several thousand characters wide and 10 to 15 years old. So when the new leadership took over the project, we first had to understand what these regexes actually did.”

Folini added: “Solving the ReDoS problem is therefore an ongoing project. We welcome the fact that Somdev Sangwan has not only published the weaknesses, but also that he is actively working with us to solve the problem.”

Putting the flaws into perspective

Some Core Rule Set users may initially balk at the idea of unpatched denial-of-service vulnerabilities sitting on their web server.

However, the potential damage that could be caused through servers being taken offline pales in comparison to the far more severe threats of cross-site scripting or SQL injection – exploits the open source project continues to help defend against.

Ultimately, as the Core Rule Set development team continues to work on mitigations for the ReDoS vulnerabilities, users may well be urged, in this instance, not to throw the baby out with the bathwater and sit tight until a patch becomes available.

RELATED WAF reloaded: ModSecurity 3.1 showcased at Black Hat Asia