Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
9 Sep 2013 Closed High CVSS v2: 8.5 SA75
When ProxySG appliance forward or reverse proxy of HTTP traffic is enabled, some web sites can cause the system to enter memory regulation due to high number of HTTP RW pipeline pre-fetch requests, resulting in slow, dropped or blocked connections and/or a system crash/reboot. This can effectively be deemed a denial-of-service (DoS) attack.
All SGOS versions prior to 6.5.2 except version 220.127.116.11 are vulnerable in both forward and reverse proxy modes. This has no impact on Management Console, Command Line Interface (CLI), or administrative functions.
Where the fix is available, SGOS sets a maximum prefetching memory allocation size. This forces a timeout and retry when there are too many requests for HTTP proxy services. The fix is available to customers with a valid BlueTouch Online login.
SGOS 6.5 – A fix is available in 6.5.2. SGOS 6.4 – A fix is available in 18.104.22.168. SGOS 6.3 – A fix is available in 22.214.171.124. SGOS 6.2 – A fix is available in 126.96.36.199. SGOS 6.1 – A fix will not be provided. Please upgrade to a later version with the vulnerability fix. SGOS 5.5 – A fix is available in 188.8.131.52. SGOS 5.4 – A fix is available in 184.108.40.206, which is a patch release. The fix is available on the patch release page. SGOS 5.3 and earlier – Please upgrade to a later version.
CVE-2013-5959 - CVSS v2 base score: 8.5 (AV:N/AC:M/Au:N/C:N/I:P/A:C)
This issue highlights memory exhaustion and/or pipeline overload due to the high number of HTTP RW pipeline pre-fetch requests from some web sites. This can effectively be deemed a denial-of-service (DoS) attack and can be triggered remotely by distributing spam email or similar mechanisms where the target user clicks through to a site that can trigger the memory regulation issue. Due to the nature of the issue, this is assessed as high severity.
Sites with high number of recursively embedded HREFs in the HTML can quickly cause one of the following scenarios:
Memory regulation and/or crash/reboot when unlimited retrieval workers are allowed on the ProxySG and a large number of retrieval workers are created.
Crash/reboot when retrieval workers are constrained on the proxy and a large number of retrieval workers are created.
Random HTTP response delays in less severe cases.
The workaround is to disable pipelining on this traffic. To disable pipelining, selectConfiguration > Proxy Settings > HTTP Proxy > Acceleration in the Management Console. Under Acceleration Settings, clear the checkboxes beside the following options:
Pipeline embedded objects client request
Pipeline redirects for client request
Pipeline embedded objects in prefetch request
Pipeline redirects for prefetch request
Click Applyto save your changes.
The associated CLI commands to disable pipelining are as follows:
http no pipeline client requests
http no pipeline client redirects
http no pipeline prefetch requests
http no pipeline prefetch redirects
Refer to the SGOS Administration Guide for your version of SGOS for details.
2015-01-27 A fix will not be provided in 6.1.x. Marking as Final.
2014-05- Updated fix information for 6.3.x and 5.5.x and made minor revisions.
2013-11-29 Updated patch information for 6.4.x.
2013-11-11 Corrected links.
2013-10-14 Updated workaround.
2013-10-04 Updated details and workaround.
2013-10-01 Edited with new workaround.
2013-10-01 Edited with new CVE number.
2013-09-24 Initial public release.
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.