Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0403 Slow HTTP DoS Attacks Mitigation 4 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiOS FortiManager FortiAP-S/W2 FortiSwitch FortiAnalyzer Publisher: FortiGuard Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-17657 CVE-2007-6750 Reference: ESB-2018.3312 ESB-2017.0818 ESB-2016.1388 ESB-2016.1114 ESB-2013.0533 Original Bulletin: https://fortiguard.com/psirt/FG-IR-19-013 - --------------------------BEGIN INCLUDED TEXT-------------------- Slow HTTP DoS Attacks Mitigation IR Number : FG-IR-19-013 Date : Feb 03, 2020 Risk : 3/5 Impact : Denial of service (DoS) CVE ID : CVE-2019-17657, CVE-2007-6750 CVE ID : CVE-2019-17657, CVE-2007-6750 CVE ID : CVE-2019-17657, CVE-2007-6750 Summary An Uncontrolled Resource Consumption vulnerability in multiple products may allow an attacker to cause web service portal denial of service (DoS) via handling special crafted HTTP requests/responses in pieces slowly. Slow HTTP attacks are denial-of-service (DoS) attacks in which the attacker sends HTTP requests in pieces slowly, one at a time to a Web server. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. When the server's concurrent connection pool reaches its maximum, this creates a DoS. Slow HTTP attacks are easy to execute because they require only minimal resources from the attacker. Impact Denial of service (DoS) Affected Products The admin webUI of following products/versions are impacted: FortiOS versions 6.2.2 and below FortiSwitch versions below 3.6.11, 6.0.6 and 6.2.2 FortiAnalyzer all versions below 6.2.3 FortiManager all versions below 6.2.3 FortiAP-S/W2 versions below 6.2.2 Solutions The following products/versions have implemented counter-measures: Upgrade to FortiOS 6.2.3 Upgrade to FortiSwitch 3.6.11, 6.0.6 or 6.2.2 Upgrade to FortiAnalyzer 6.2.3 Upgrade to FortiManager 6.2.3 Upgrade to FortiAP-S/W2 6.2.2 When supported, configuring trust hosts for system administrators is a workaround, assuming those hosts are trusted to not initiate an attack. Acknowledgement Fortinet is pleased to thank Independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev for reporting this vulnerability under responsible disclosure. References o https://blog.qualys.com/securitylabs/2011/11/02/ how-to-protect-against-slow-http-attacks - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXjj1nmaOgq3Tt24GAQhSqhAAwtjJeWx8Mjf3TMd4NtWqeKtvzuAK/O86 cTTDNZs7uyGJF8Eg3+ZMHFTv+ZdD4lwrnVn6Lc/nkGe5zogHnikZ5SayWKiKDi3h nW1+39AsQMf9LXX6gBL0Qtg3mnf68ddh6/KtlQIJXlDAzSZjsxLNL0Fhv9bLR52p 5wmeaPdHKuL8RKGlVt6I6NQRlG82+6ag0MxOJHQTVm5kFIIKD4nUsydepK3S44d1 DoCH12EJVcDwb13gXLUovCiTCEtj6GXvS3wuihVA5PzwD792Wht+mBjul64WMJBD 15HwPoKQcgidTmTNbBf6k3biEHyfm9oFcZqRXQSP9/BAm9ZgY5y6ZeKipX8sdoYr n9H0OYlpKNPLzFN4LkSxQtXpVquhCz2CzqZ09Bhf4HGY+hWysgjWyrxi2i4CRAd0 wycNwEvUptbrfggBYejJ/qrmzghP6m0sv322BiZfBbXpa7kyVRVjfDXoEK6e+nvO 21Oi8LAUgUskG2lb4Rmr4mFVFtF8+V0HmYzk/jOx5yRrM2hsRsPbbkc95Qy+znYT hyJc8wfMGt8aaRyO5c9tQVhF2LU+1PlBt3Jvmy5VVzlNp0ll1ResIvOSnKMg7+Dd xbzrlwXtsN9ScoC/1WB5/nDsuB5XtvVb6l2C2Mddoi6tstjoPXcDfXR5OVEuF5Gr KRVRY+M3BJ8= =Z6yR -----END PGP SIGNATURE-----