ModSecurity WAF Flaw Let Hackers Trigger DoS Attack

Trustwave’s open-source Web Application Firewall (WAF) engine, ModSecurity, faces DoS risk due to four transformation actions vulnerability.

Cybersecurity researchers at Trustwave identified this flaw and alerted the ModSecurity team about their detection. The vulnerability was tracked as CVE-2023-38285.

However, the security developers at the ModSecurity team fixed this flaw by releasing the fixes in v3.0.10, while the v2 of ModSecurity is not affected.

ModSecurity offers numerous transformation actions to alter value representation for improved processing convenience and reduced rule evasion risks.

Detection Alert

The ModSecurity team was notified of the DoS issue in v3, and the impacted transformations are:-

  • removeWhitespace
  • removeNull
  • replaceNull
  • removeCommentsChar

Though functionally correct, the impacted transformations proved inefficient against worst-case performance in response to maliciously crafted HTTP requests.

To prevent significant delays, configure common items like SecRequestBodyNoFilesLimit, using the recommended default value of 131072 in modsecurity.conf-recommended.

Despite the limit, a dozen or more transformation executions might still cause multiple seconds of delay per HTTP transaction.

Apart from this, a significant volume of simultaneous malicious requests could crush the web server, as a result, it will delay the responses to legitimate ones.

Recommendation

If the immediate upgrade is impractical, alternative mitigations exist for affected installations. Larger values have a greater impact on resources than numerous smaller ones due to the issue’s nature.

Incorporate a separate ModSecurity rule to restrict processed value sizes, allowing unchecked handling of legitimate content.

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.