Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22109
HistoryJul 03, 2009 - 12:00 a.m.

Artofdefence Hyperguard Web Application Firewall: Remote Denial of Service

2009-07-0300:00:00
vulners.com
53
JSON

Security Advisory

Vulnerable Software: Artofdefence Hyperguard Web Application Firewall
Vulnerable Version: 3 branches: prior to 3.1.1-11637; prior to
3.0.3-11636; prior to 2.5.5-11635 (Apache Plug-in)
Homepage: http://www.artofdefence.com/
Found by: Michael Kirchner, Wolfgang Neudorfer,
Lukas Nothdurfter (Team h4ck!nb3rg)
Impact: Remote Denial of Service

Product Description

Hyperguard is a latest-generation enterprise Web application firewall
with attack detection and attack protection functions that are freely
configurable. Hyperguard enables centralised security monitoring,
reporting and alerting and provides custom protection for your Web
applications against external attacks.
[Source: http://www.artofdefence.com/en/hyperguard/hyperguard.html]

Vulnerability Description

The Artofdefence Hyperguard Web Application Firewall operates as a
reverse proxy module between the clients and the web server to be
protected. All HTTP requests are checked before being forwarded to the
web server. By sending specially crafted HTTP POST requests an attacker
is able to trigger high memory usage on the WAF. By repeatedly sending
the request the available memory is exhausted resulting in a kernel
panic and therefore a denial of service.
The vulnerability can be triggered by sending HTTP POST requests with a
high "Content-Length" header value set but without transmitting any
content. Artofdefence Hyperguard is available as a plug-in for several
web servers. The vulnerability was confirmed in connection with the
Apache web server module. Other modules have not been tested.

Proof of Conept

With 1 GB of free memory available on the WAF the kernel panic occured
after sending ~350 crafted requests.

Vulnerable Versions

The tested version was of the 3.1.1 branch prior to 3.1.1-11637.
According to the vendor the other two branches were also vulnerable (see
version description in the header).

Patch

The vendor provides an updated version of the product for all three
branches (see version description in the header).

Contact Timeline

2009-05-22: Vendor informed
2009-05-22: Inital vendor reply
2009-05-25: Vulnerability confirmed
2009-05-29: Patched version available
2009-07-01: Public release

Further information

Information about the web application firewall project this advisory
originates from can be found at:
http://www.h4ck1nb3rg.at/wafs/

JSON