Rule Category

SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.

Alert Message

SERVER-OTHER RabbitMQ X-Reason HTTP header denial-of-service attempt

Rule Explanation

This event is generated when an attempt to exploit RabbitMQ via CVE-2019-11287 is detected. Impact: Detection of a Denial of Service Attack Details: The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing. Ease of Attack: Simple, this can be done with any command line tool that allows an attacker to send http requests.

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Additional Links

Rule Vulnerability

CVE Additional Information

CVE-2019-11287
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
Details
SeverityMEDIUM Base Score5.0
Impact Score2.9 Exploit Score10.0
Confidentiality ImpactNONE Integrity ImpactNONE
Availability ImpactPARTIAL Access VectorNETWORK
AuthenticationNONE Ease of AccessLOW