Trustwave’s open-source Web Application Firewall (WAF) engine, ModSecurity, faces DoS risk due to four transformation actions vulnerability.
Cybersecurity researchers at Trustwave identified this flaw and alerted the ModSecurity team about their detection. The vulnerability was tracked as CVE-2023-38285.
However, the security developers at the ModSecurity team fixed this flaw by releasing the fixes in v3.0.10, while the v2 of ModSecurity is not affected.
ModSecurity offers numerous transformation actions to alter value representation for improved processing convenience and reduced rule evasion risks.
Detection Alert
The ModSecurity team was notified of the DoS issue in v3, and the impacted transformations are:-
- removeWhitespace
- removeNull
- replaceNull
- removeCommentsChar
Though functionally correct, the impacted transformations proved inefficient against worst-case performance in response to maliciously crafted HTTP requests.
To prevent significant delays, configure common items like SecRequestBodyNoFilesLimit, using the recommended default value of 131072 in modsecurity.conf-recommended.
Despite the limit, a dozen or more transformation executions might still cause multiple seconds of delay per HTTP transaction.
Apart from this, a significant volume of simultaneous malicious requests could crush the web server, as a result, it will delay the responses to legitimate ones.
Recommendation
If the immediate upgrade is impractical, alternative mitigations exist for affected installations. Larger values have a greater impact on resources than numerous smaller ones due to the issue’s nature.
Incorporate a separate ModSecurity rule to restrict processed value sizes, allowing unchecked handling of legitimate content.
Source: https://cybersecuritynews.com/modsecurity-waf-flaw-let-hackers-trigger-dos-attack/