Apache HTTP Server Byte Range DoS


I have a service called NSProtect/safe which does a scan of our server for vulnerabilities which is with Network Solutions. I am posting here because Network Solutions has not been able to address this problem for over 13 days now, Since June 12, 2015.

I have found out that Network Solutions uses Comodo to do the vulnerability scanning, thus I am coming here as a final attempt to solve this problem

The scan is failing and giving the result at the bottom:

the problem is, the HTTP server Byte Range Dos vulnerability was patched with Apache 2.2.0. We are running Apache 2.4.0 which was just upgraded from Apache 2.2.9. We were receiving this error on Apache 2.2.9 as well.

Searching the internet yielded the cause and work arounds if you were running Apache 2.1.x. But if you had Apache 2.2.0+ you were okay.

I believe we are getting a false positive test, and I was told by the tech who service our server this was the case.

Network Solution is on day 13 of giving me the run around.

I am looking for some insight from a member or moderator who understands this and has some information that can clear this up.

If this is in the wrong area of the forum, I apologize and I am not sure what Comodo calls their NSProtect/safe equivalent.

We are running Centos 6.6 With Apache 2.4.0

We were running Centos 5.x on Apache 2.29 with no failed scans, updated to the above and the errors started.

Thank You.


** ADDED… I realize now this is your Web Inspector product.

Security alert found on port/service “http (80/tcp)”
Plugin “Apache HTTP Server Byte Range DoS”
Category “Web Servers”
Priority Ranking “Urgent”
Synopsis : The web server running on the remote host is affected by a denial of service vulnerability.
Description : The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive. Exploit code is publicly available and attacks have reportedly been observed in the wild. See also : http://archives.neohapsis.com/archive s/fulldisclosure/2011-08/0203.html http: //www.gossamer-threads.com/lists/apache/ dev/401638 http://www.nessus.org/u?8c61b 13d http://www.nessus.org/u?404627ec So lution : Limit the number of ranges allowed in the Range and Request-Range request headers, or disallow the use of Range and Request-Range request headers altogether. For more information, refer to Apache’s advisory for CVE-2011-3192.
Risk factor : High / CVSS Base Score : 7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
Plugin output : Nessus determined the server accepts a high number of ranges by making the following request : GET / HTTP/1.1 Host: bokumtoolco.com Request-Range: bytes=0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8- 8,9-9,10-10 Accept-Charset: iso-8859-1,utf-8 q=0.9,* q=0.1 User-Age nt: Mozilla/4.0 (compatible MSIE 8.0 Windows NT 5.1 Trident/4.0) Range: bytes=0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8- 8,9-9,10-10 Accept-Language: en Connection: Keep-Alive Date: Thu, 25 Jun 2015 05:10:26 GMT Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, / Pragma: no-cache
CVE : CVE-2011-3192 BID : 49303 Other references : OSVDB:74721, CERT:405811