ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

'Kill tool' released for unpatched Apache server vulnerability

By | August 24, 2011, 11:09am PDT

Summary: The open-source Apache Software Foundation warns that active use of a ‘killapache’ attack tool targeting an unpatched vulnerability has been observed.

The open-source Apache Foundation has warned that attack tool has been released for a serious vulnerability in the Apache HTTPD Web Server.

The ‘killapache’ attack tool is currently circulating in the wild. “Active use of this tools has been observed, Apache warned.

“The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server,” according to an advisory that documents a denial-of-service flaw in the default Apache HTTPD installation.follow Ryan Naraine on twitter

The group described the issue as a range header DoS vulnerability and offered several pre-patch mitigations to limit the damage from a malicious denial-of-server attack.

“Apache HTTPD users who are concerned about a DoS attack against their server should consider implementing any of the mitigations,” Apache said.

A patch or new apache release for Apache 2.0 and 2.2 is expected later this week.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Vulnerability, Apache Software Foundation, Apache Web Server, Server, Tool, Range, Open Source, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

23
Comments
Add Your Opinion

Join the conversation!

Just In

RE: 'Kill tool' released for unpatched Apache server vulnerability
Jimster480 26th Aug
@Knix96 nothing is too secure to be hacked. A patch will be available aoon or is already available. usually Apache patches pretty fast.
View in thread
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
Viper589 24th Aug
Wait a minute according to some people on this site open source software is so secure it can't be hacked!!!!
0 Votes
+ -
Links please
Richard Flude Updated - 24th Aug
@Knix96, to claims open source cant be hacked. A ridiculous position.

This story isn't about Apache HTTPD being hacked anyway. Please read about DoS. Are the MCSEs getting even less knowledgeable? Is it indeed possible?

This is a serious issue for those of us relying on Apache. Notes are critical reading.
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
FuzzyBunnySlippers Updated - 24th Aug
@Richard Flude
"'Kill tool' released for unpatched Apache server vulnerability"
"This story isn't about Apache HTTPD being hacked anyway."
"Apache HTTPD users who are concerned about a DoS attack against their server should consider implementing any of the mitigations,..."

To quote Sesame Street, "One of these things is not like the others, guess which one it is.."
0 Votes
+ -
Fbs
Richard Flude 25th Aug
Education should not stop with Sesame street.
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
lschw1 Updated - 24th Aug
According to some people the moon is made of cheese, therefore the moon isn't good. Apache on the other hand is one of the key pieces of software that got the Internet started. Its free and runs on everything, not just PCs. I consider denial-of-service a lesser problem, but taking control of the server sets off my alarm bells.
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
froldan0 25th Aug
@lschw1

a lesser problem? tell to a Hoster happy
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
Jimster480 26th Aug
@Knix96 nothing is too secure to be hacked. A patch will be available aoon or is already available. usually Apache patches pretty fast.
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
j.q.public 24th Aug
I don't know about "some people", but my take on it is that the open-source community can fix a problem much quicker than proprietary software companies.
0 Votes
+ -
Ahh. Wonderful recovery. Not.
Cayble 24th Aug
@j.q.public

Even if I totally agree that one of the things that pro open source community members have said is that the open source community typically releases fixes faster then proprietary software vendors it most certainly doesn't negate the fact that at the very least "some" in the pro open source community have said a lot more then that.

Its definitely one of those situations where "some" have made statements very clearly, that while falling somewhat short of claiming Superman like invulnerability to attacks, they have certainly made claims that are clearly designed to make one believe that these kinds of attacks are "practically" or "virtually" impossible. They make it sound like the potential for such vulnerabilities to cause any concern are so far removed from reality there is "virtually" nothing to fear from the possibility of such an attack.

As always, I can really only say one thing about such claims. If anyone ever thinks that if the whole world went open source/Linux tomorrow, that thee hacker community would quickly be drummed out of business simply because such operating systems are so difficult to do any damage to...they are out of their minds. You can count on as a fact that what the hacker community would do is in fact anything and everything it could possibly take to step up their efforts by any means possible and necessary to make hacking a Linux box as close to as profitable as any other operating system.

Count on it. Its not a fairy tale, its the same determination that invented the computer and put a man on the moon. One thing you can say about humans, there is always a large enough number of them in every walk of life that will never give up and eventually come up with the solution to the problem at hand. And when that begets a new problem, there will always be plenty who will begin anew right away on that one.
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
Rabid Howler Monkey Updated - 24th Aug
@j.q.public Not arguing about quick time to patch in the open-source world, but the blog author posted a link to "pre-patch mitigations" that can be applied in the meantime. Since this vulnerability involves a server application and the attack is ITW, sysadmins may choose to apply one of the suggested mitigation techniques until the patch is ready to be applied.
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
FuzzyBunnySlippers Updated - 24th Aug
@j.q.public

Mitigation != fix. Agreed? Raise your hands now...

Afterall, unplugging your net cable is another 'mitigation' of sorts.
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
pdzdnet Updated - 24th Aug
Open source is still vulnerable to bug exploits (hacking and attacks); but unlike proprietary software, the community as a whole doesn't have to rely on some company to fix the problem, because they can debug it themselves immediately (with the know-how, of course).
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
RvLeshrac 24th Aug
@pdzdnet WTF does debugging have to do with patching vulnerabilities? I don't need the source to debug Windows apps, I just need public symbols.
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
a foot in both camps Updated - 24th Aug
.
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
a foot in both camps 24th Aug
@RvLeshrac
You miss the point.
Sure you can debug Windows apps from using the public synbols. However only a small number of Microsoft programmers can fix the problem whereas any competent member of the large number of people of the open-source community can submit a fix for review and subsequent distribution.
0 Votes
+ -
And thats real nice.
Cayble 24th Aug
@pdzdnet

But the one singular thing the open source community has absolutely got to keep in their mind if they want to keep it real when discussing the pro's and con's of lets say Windows vs. Linux for example, nobody outside of the open source community cares that much. At all.

And thats simply because whatever inherent superior security measures, Linux for example, has embedded into its code that makes hacking more difficult, the majority of the world who does use Windows has not experienced anything close to the problems the "Anything but Microsoft" crowd so often likes to claim exist.

Does Windows have some inherent risks? Yes, we all know it does. I for one will always agree that the sheer number of relentless attacks designed for Windows is alone enough for concern. But Windows users have for a very long time now been fully prepared to accept those risks because they exist the way they do often because Windows has been designed for an incredible breadth of backward and forward capabilities for both software and hardware as well as many ease of use features that dictate that the OS is very very very complex and sizable and certainly that always has the potential to create more leaks in a larger more complex and versatile ship, so to speak.

The end result has been for the vast majority of the population the problems actually coming out of these potential risks have been mercifully few and the payoff of having such an easy to use diverse operating system has been great.

So, this quick patching by the community is nice. But keep in mind, its not going to ever be an argument that has any sway in what kind of OS someone should choose unless security is so paramount that most other features can be ignored in favor of even marginal security improvements.

Like maybe if your a super spy for the C.I.A. or something. And you can trust me, if a spy from the C.I.A. ever asks me what OS should he use for absolute maximum security I will recommend he takes a good look at something in the open source/Linux vein.
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
serendipity24 25th Aug
@Cayble
Nicely put.
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
raranibar 24th Aug
Our web site suffer this vulnerability and solve this take us so much time, this down time is something than was a big problem four our clients solve it take us 3 days and to work around we upload a old version. Where get help for free software to solve this problems?
0 Votes
+ -
Why not
Richard Flude 24th Aug
"several immediate options to mitigate this issue" are provided in the advisory linked to in the article and a patch is on it's way. What more help are you requiring?
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
FuzzyBunnySlippers Updated - 24th Aug
@Richard Flude

Hmm.. so there is an issue... with a patch on it's way (otherwise, why patch?)... for what exactly?

Your previous post, "This is a serious issue for those of us relying on Apache."

And of what source is Apache, open per chance?

Moreover, why build a "Kill Tool" at all? Wait for it.. it'll come to you, ... hopefully.
0 Votes
+ -
RE: 'Kill tool' released for unpatched Apache server vulnerability
Steve Jobz 24th Aug
interesting indeed.
0 Votes
+ -
Internet-Wide congestion collapse?
Rabid Howler Monkey 24th Aug
"a cheesy Apache / IIS DoS vuln (+a question)
http://seclists.org/bugtraq/2007/Jan/83

Reported on January 4, 2007 for *both* Apache and IIS. Anyone have any idea what the bug status is on IIS?

An earlier report of this vulnerability from 2005:

"Vulnerability Note VU#102014
"Optimistic TCP acknowledgements can cause denial of service
http://www.kb.cert.org/vuls/id/102014

Condition was first described in 1999. "In an attack involving multiple victims, the aggregate volume of generated traffic may cause congestion or a bandwidth exhaustion denial of service to intermediate transit network providers as well." Or, stated another way here:

http://seclists.org/bugtraq/2007/Jan/118

"Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse"
0 Votes
+ -
Looks like Microsoft beat open-source with this vulnerability
Rabid Howler Monkey 25th Aug
According to Microsoft, IIS versions 6.0 and higher are not susceptible to this type of DoS attack. More here (see the last paragraph):

http://www.theregister.co.uk/2011/08/24/devastating_apache_vuln/

P.S. Could not find out whether or not IIS 5.1 is still supported by Microsoft (5.0 is not). If it is still supported, it may be vulnerable.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix