Think you have a false positive on this rule?

Sid 1-43587

Message

SERVER-WEBAPP Multiple products HTTP connection header overflow attempt

Summary

Multiple web servers contain buffer overflow vulnerabilities due to improper Connection header parsing.

Impact

CVE-2017-7668:

CVSS base score 9.8

CVSS impact score 5.9

CVSS exploitability score 3.9

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

Rule checks for attempts to trigger buffer overflow vulnerabilities in multiple web-servers via a maliciously crafted Connection header value. CVE-2017-7668: The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows apfindtoken() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force apfindtoken() to return an incorrect value.

Affected systems

  • apache http_server 2.2.0
  • apache http_server 2.2.2
  • apache http_server 2.2.3
  • apache http_server 2.2.11
  • apache http_server 2.2.12
  • apache http_server 2.2.13
  • apache http_server 2.2.14
  • apache http_server 2.2.15
  • apache http_server 2.2.16
  • apache http_server 2.2.17
  • apache http_server 2.2.18
  • apache http_server 2.2.19
  • apache http_server 2.2.20
  • apache http_server 2.2.21
  • apache http_server 2.2.22
  • apache http_server 2.2.23
  • apache http_server 2.2.24
  • apache http_server 2.2.25
  • apache http_server 2.2.26
  • apache http_server 2.2.27
  • apache http_server 2.2.29
  • apache http_server 2.2.30
  • apache http_server 2.2.31
  • apache http_server 2.2.32
  • apache http_server 2.4.1
  • apache http_server 2.4.2
  • apache http_server 2.4.10
  • apache http_server 2.4.12
  • apache http_server 2.4.16
  • apache http_server 2.4.17
  • apache http_server 2.4.18
  • apache http_server 2.4.20
  • apache http_server 2.4.23
  • apache http_server 2.4.25

Ease of attack

CVE-2017-7668:

Access Vector

Access Complexity

Authentication

False positives

None known

False negatives

None known

Corrective action

Contributors

  • Talos research team.
  • This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
  • For more information see nvd.

Additional References

  • ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/