Security Advisories

September 9, 2013 – Recursive HTTP pipeline pre-fetch can cause memory regulation (CVE-2013-5959)

Security Advisories ID:    SA75
Version:    12.0
Status:    Published
Published date:    09/23/2013
Updated:    11/29/2013
 

Advisory Status

Interim

Advisory Severity

CVE-2013-5959 - High, CVSS v2 base score: 8.5 (AV:N/AC:M/Au:N/C:N/I:P/A:C)

CVE Number

CVE-2013-5959 - High, CVSS v2 base score: 8.5 (AV:N/AC:M/Au:N/C:N/I:P/A:C)

Summary

When ProxySG appliance forward or reverse proxy of HTTP traffic is enabled, some web sites can cause the system to enter memory regulation due to high number of HTTP RW pipeline pre-fetch requests, resulting in slow, dropped or blocked connections and/or a system crash/reboot.. This can effectively be deemed a denial-of-service (DoS) attack.

Affected Products

All SGOS versions prior to 6.5.2 except version 6.2.14.1 are vulnerable in both forward and reverse proxy modes. This has no impact on Management Console, Command Line Interface (CLI), or administrative functions.

Details

This issue highlights memory exhaustion and/or pipeline overload due to the high number of HTTP RW pipeline pre-fetch requests from some web sites. This can effectively be deemed a denial-of-service (DoS) attack and can be triggered remotely by distributing spam email or similar mechanisms where the target user clicks through to a site that can trigger the memory regulation issue. Due to the nature of the issue, this is assessed as high severity.

Sites with high number of recursively embedded HREFs in the HTML can quickly cause one of the following scenarios:

  1. Memory regulation and/or crash/reboot when unlimited retrieval workers are allowed on the ProxySG and a large number of retrieval workers are created.
  2. Crash/reboot when retrieval workers are constrained on the proxy and a large number of retrieval workers are created.
  3. Random HTTP response delays in less severe cases.

Workarounds

The workaround is to disable pipelining on this traffic. To disable pipelining, select Configuration > Proxy Settings > HTTP Proxy > Acceleration in the Management Console. Under Acceleration Settings, clear the checkboxes beside the following options:

  • Pipeline embedded objects client request
  • Pipeline redirects for client request
  • Pipeline embedded objects in prefetch request
  • Pipeline redirects for prefetch request

Click Apply to save your changes.

The associated CLI commands to disable pipelining are as follows:

http no pipeline client requests
http no pipeline client redirects
http no pipeline prefetch requests
http no pipeline prefetch redirects

Refer to the SGOS Administration Guide for your version of SGOS for details:

https://bto.bluecoat.com/documentation/pubs/ProxySG

Patches

 ProxySG

SGOS 6.5 – A fix is available in 6.5.2 which sets a maximum prefetching memory allocation size. This forces a timeout and retry when there are too many requests for HTTP proxy services. The fix is available to customers with a valid BlueTouch Online login from the SGOS 6.5.x release page.

SGOS 6.4 – A fix is available in 6.4.5.1 and later which sets a maximum prefetching memory allocation size. This forces a timeout and retry when there are too many requests for HTTP proxy services. The fix is available to customers with a valid BlueTouch Online login from the SGOS 6.4.x release page.

SGOS 6.3 – A fix is not yet available as of 6.3.6.1.

SGOS 6.2 – A fix is available in 6.2.14.1 which sets a maximum prefetching memory allocation size. This forces a timeout and retry when there are too many requests for HTTP proxy services. The fix is available to customers with a valid BlueTouch Online login from the SGOS 6.2.x release page.

SGOS 6.1 – A fix is not yet available as of 6.1.6.3.

SGOS 5.5 – A fix is not yet available as of 5.5.11.3.

SGOS 5.4 – A fix is available in 5.4.12.9 which sets a maximum prefetching memory allocation size. This forces a timeout and retry when there are too many requests for HTTP proxy services. The fix is available to customers with a valid BlueTouch Online login from the relevant patch release page.

SGOS 5.3 and earlier – Please upgrade to a later version.

Advisory History

11/29/13: Updated patch information for 6.4.x.

11/11/2013: Corrected links.

10/14/13: Updated workaround.

10/4/13: Updated details and workaround.

10/1/13: Edited with new workaround.

10/1/13: Edited with new CVE number.

9/24/13: Initial public release.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question