Vulnerabilities > CVE-2012-5533 - Resource Management Errors vulnerability in Lighttpd 1.4.31/1.4.32
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header. Per: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt " Affected versions ------------------- Only 1.4.31; on the other hand versions before 1.4.31 include the "invalid read" bug."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | lighttpd 1.4.31 - Denial of Service PoC. CVE-2012-5533. Dos exploit for linux platform |
| file | exploits/linux/dos/22902.sh |
| id | EDB-ID:22902 |
| last seen | 2016-02-02 |
| modified | 2012-11-22 |
| platform | linux |
| port | |
| published | 2012-11-22 |
| reporter | t4c |
| source | https://www.exploit-db.com/download/22902/ |
| title | lighttpd 1.4.31 - Denial of Service PoC |
| type | dos |
Nessus
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2013-179.NASL description The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the last seen 2020-06-01 modified 2020-06-02 plugin id 69738 published 2013-09-04 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69738 title Amazon Linux AMI : lighttpd (ALAS-2013-179) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2013-179. # include("compat.inc"); if (description) { script_id(69738); script_version("1.5"); script_cvs_date("Date: 2018/04/18 15:09:35"); script_cve_id("CVE-2012-5533"); script_xref(name:"ALAS", value:"2013-179"); script_name(english:"Amazon Linux AMI : lighttpd (ALAS-2013-179)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the 'Connection: TE,,Keep-Alive' header." ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2013-179.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update lighttpd' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:lighttpd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:lighttpd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:lighttpd-fastcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:lighttpd-mod_geoip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:lighttpd-mod_mysql_vhost"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2013/04/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"lighttpd-1.4.31-1.5.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"lighttpd-debuginfo-1.4.31-1.5.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"lighttpd-fastcgi-1.4.31-1.5.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"lighttpd-mod_geoip-1.4.31-1.5.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"lighttpd-mod_mysql_vhost-1.4.31-1.5.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "lighttpd / lighttpd-debuginfo / lighttpd-fastcgi / etc"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-801.NASL description - Fixing bnc#790258 CVE-2012-5533: Denial of Service via specially crafted HTTP header. Added patches: 0001-Fix-DoS-in-header-value-split-reported-by-Jesse-Sip p.patch 0001-remove-whitespace-at-end-of-header-keys.patch last seen 2020-06-05 modified 2014-06-13 plugin id 74819 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74819 title openSUSE Security Update : lighttpd (openSUSE-SU-2012:1532-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201406-10.NASL description The remote host is affected by the vulnerability described in GLSA-201406-10 (lighttpd: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in lighttpd. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could create a Denial of Service condition. Futhermore, a remote attacker may be able to execute arbitrary SQL statements. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 76062 published 2014-06-16 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76062 title GLSA-201406-10 : lighttpd: Multiple vulnerabilities NASL family Web Servers NASL id LIGHTTPD_1_4_32.NASL description According to its banner, the version of lighttpd running on the remote host is 1.4.31. It is, therefore, affected by a denial of service vulnerability. An error in the http_request_split_value() function in last seen 2020-06-01 modified 2020-06-02 plugin id 63094 published 2012-11-29 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63094 title lighttpd 1.4.31 http_request_split_value Function Header Handling DoS NASL family Fedora Local Security Checks NASL id FEDORA_2013-15344.NASL description One important denial of service (in 1.4.31) fix: CVE-2012-5533. A flaw was found in lighttpd version 1.4.31 that could be exploited by a remote user to cause a denial of service condition in lighttpd. A client could send a malformed Connection header to lighttpd (such as last seen 2020-03-17 modified 2013-09-04 plugin id 69774 published 2013-09-04 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69774 title Fedora 18 : lighttpd-1.4.32-1.fc18 (2013-15344) NASL family Fedora Local Security Checks NASL id FEDORA_2013-15345.NASL description One important denial of service (in 1.4.31) fix: CVE-2012-5533. A flaw was found in lighttpd version 1.4.31 that could be exploited by a remote user to cause a denial of service condition in lighttpd. A client could send a malformed Connection header to lighttpd (such as last seen 2020-03-17 modified 2013-09-04 plugin id 69775 published 2013-09-04 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69775 title Fedora 19 : lighttpd-1.4.32-1.fc19 (2013-15345) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_1CD3CA4233E611E2A2555404A67EEF98.NASL description Lighttpd security advisory reports : Certain Connection header values will trigger an endless loop, for example : last seen 2020-06-01 modified 2020-06-02 plugin id 63016 published 2012-11-23 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63016 title FreeBSD : lighttpd -- remote DoS in header parsing (1cd3ca42-33e6-11e2-a255-5404a67eef98) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-100.NASL description The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the Connection: TE,,Keep-Alive header (CVE-2012-5533). last seen 2020-06-01 modified 2020-06-02 plugin id 66112 published 2013-04-20 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66112 title Mandriva Linux Security Advisory : lighttpd (MDVSA-2013:100)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/118282/simplelighttpd-dos.txt |
| id | PACKETSTORM:118282 |
| last seen | 2016-12-05 |
| published | 2012-11-22 |
| reporter | Milan Berger |
| source | https://packetstormsecurity.com/files/118282/Simple-Lighttpd-1.4.31-Denial-Of-Service.html |
| title | Simple Lighttpd 1.4.31 Denial Of Service |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:76695 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-76695 title lighttpd 1.4.31 Denial of Service PoC bulletinFamily exploit description CVE(CAN) ID: CVE-2012-5533 lighttpd是一款开源的轻量级Web服务器。 lighttpd 1.4.31在处理某些HTTP请求头时,"http_request_split_value()"函数(src/request.c)在处理特制的"Connection"报头域时会陷入无限循环。攻击者利用此漏洞可导致Lighttpd拒绝服务。 0 lighttpd 1.4.31 厂商补丁: Lighttpd -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch id SSV:60476 last seen 2017-11-19 modified 2012-11-23 published 2012-11-23 reporter Root title lighttpd畸形HTTP Connection域处理拒绝服务漏洞
References
- http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt
- http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch
- http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00051.html
- http://marc.info/?l=bugtraq&m=141576815022399&w=2
- http://osvdb.org/87623
- http://packetstormsecurity.org/files/118282/Simple-Lighttpd-1.4.31-Denial-Of-Service.html
- http://secunia.com/advisories/51268
- http://secunia.com/advisories/51298
- http://www.exploit-db.com/exploits/22902
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:100
- http://www.openwall.com/lists/oss-security/2012/11/21/1
- http://www.securityfocus.com/bid/56619
- http://www.securitytracker.com/id?1027802
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80213
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345