SA75 : Recursive HTTP pipeline pre-fetch can cause memory regulation (CVE-2013-5959)

1281

03 March 2020

09 September 2013

CLOSED

HIGH

CVSS v2: 8.5

SUMMARY

When ProxySG appliance forward or reverse proxy of HTTP traffic is enabled, some web sites can cause the system to enter memory regulation due to high number of HTTP RW pipeline pre-fetch requests, resulting in slow, dropped or blocked connections and/or a system crash/reboot. This can effectively be deemed a denial-of-service (DoS) attack.

AFFECTED PRODUCTS

All SGOS versions prior to 6.5.2 except version 6.2.14.1 are vulnerable in both forward and reverse proxy modes. This has no impact on Management Console, Command Line Interface (CLI), or administrative functions.

Patches

Where the fix is available, SGOS sets a maximum prefetching memory allocation size. This forces a timeout and retry when there are too many requests for HTTP proxy services. The fix is available to customers with a valid BlueTouch Online login.

SGOS 6.5 – A fix is available in 6.5.2.
SGOS 6.4 – A fix is available in 6.4.5.1.
SGOS 6.3 – A fix is available in 6.3.6.2.
SGOS 6.2 – A fix is available in 6.2.14.1.
SGOS 6.1 – A fix will not be provided.  Please upgrade to a later version with the vulnerability fix.
SGOS 5.5 – A fix is available in 5.5.11.5.
SGOS 5.4 – A fix is available in 5.4.12.9, which is a patch release. The fix is available on the patch release page.
SGOS 5.3 and earlier – Please upgrade to a later version.

ISSUES

CVE-2013-5959 - CVSS v2 base score: 8.5 (AV:N/AC:M/Au:N/C:N/I:P/A:C)

This issue highlights memory exhaustion and/or pipeline overload due to the high number of HTTP RW pipeline pre-fetch requests from some web sites. This can effectively be deemed a denial-of-service (DoS) attack and can be triggered remotely by distributing spam email or similar mechanisms where the target user clicks through to a site that can trigger the memory regulation issue. Due to the nature of the issue, this is assessed as high severity.

Sites with high number of recursively embedded HREFs in the HTML can quickly cause one of the following scenarios:

  1. Memory regulation and/or crash/reboot when unlimited retrieval workers are allowed on the ProxySG and a large number of retrieval workers are created.
  2. Crash/reboot when retrieval workers are constrained on the proxy and a large number of retrieval workers are created.
  3. Random HTTP response delays in less severe cases.

MITIGATION

The workaround is to disable pipelining on this traffic. To disable pipelining, select Configuration > Proxy Settings > HTTP Proxy > Acceleration in the Management Console. Under Acceleration Settings, clear the checkboxes beside the following options:

  • Pipeline embedded objects client request
  • Pipeline redirects for client request
  • Pipeline embedded objects in prefetch request
  • Pipeline redirects for prefetch request

Click Apply to save your changes.

The associated CLI commands to disable pipelining are as follows:

http no pipeline client requests 
http no pipeline client redirects
http no pipeline prefetch requests
http no pipeline prefetch redirects

Refer to the SGOS Administration Guide for your version of SGOS for details.

REFERENCES

CVE-2013-5959: https://nvd.nist.gov/vuln/detail/CVE-2013-5959

REVISION

2015-01-27 A fix will not be provided in 6.1.x.  Marking as Final.
2014-05- Updated fix information for 6.3.x and 5.5.x and made minor revisions.
2013-11-29 Updated patch information for 6.4.x.
2013-11-11 Corrected links.
2013-10-14 Updated workaround.
2013-10-04 Updated details and workaround.
2013-10-01 Edited with new workaround.
2013-10-01 Edited with new CVE number.
2013-09-24 Initial public release.