Mitigating a ping of death

To set the context, the past 30 days have been a storm of fun critical vulnerabilities. Flash, IIS, OpenSSL, and the worsened return of iOS WifiGate. Any other takers, Android perhaps?

More specifically, this post is to comment on some mitigations proposed against the HTTP.SYS MS15-034 vulnerability in Windows Server. If you get a 416 response to a static file GET request with Range: bytes=0-18446744073709551615 (in Fiddler, for example), then your server is vulnerable. Changing the 0 into any higher digit is enough to kill the server, so, pretty high threat.

A sound approach to remediate threats while exploits are running rampant, includes patching the affected servers, but given the scheduling involved, first of all mitigating the risk at the perimeter before a simple GET request shuts down the web servers into DoS (good old BSOD). 

Unfortunately with force fields, or other perimeter mitigations, YMMV.

Unfortunately with force fields, or other perimeter mitigations, YMMV.

Perimeter mitigations (Reverse Proxy rules) proposed have had a few flaws:

  • May not protect against remote code execution. Patching is ultimately required.
  • Misleading information: exploratory work presented as optimized rules, but not meant as remediation can actually cause more harm than good.
  • False positives (Impact to large downloads): The exploit needs 20 consecutive numeric characters, so blocking 10 digits and above is not good for prod (large manuals/apps...)
  • False negatives (exploits still possible): being too specific in the regex can make it case sensitive and fail to block a malicious request. Even though the header name is not case sensitive for F5, as rightly pointed out, the proposed regex against the header value is.

As for server patching, once the perimeter has been secured, Microsoft advises urgently evaluating security patches when a threat is applicable. The same article indicates testing in pre-production or non critical systems is advisable, but more so for service packs and hotfixes than security patches.

Verdict: 

  • Solutions are not created equal
  • Check for any vulnerable windows server now (on a non critical system first)
  • Mitigate (well) as soon as possible at the perimeter, with an infosec-certified solution
  • Patch windows as soon as possible, and maintain update best practices