Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0403
Slow HTTP DoS Attacks Mitigation
4 February 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: FortiOS
FortiManager
FortiAP-S/W2
FortiSwitch
FortiAnalyzer
Publisher: FortiGuard
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-17657 CVE-2007-6750
Reference: ESB-2018.3312
ESB-2017.0818
ESB-2016.1388
ESB-2016.1114
ESB-2013.0533
Original Bulletin:
https://fortiguard.com/psirt/FG-IR-19-013
- --------------------------BEGIN INCLUDED TEXT--------------------
Slow HTTP DoS Attacks Mitigation
IR Number : FG-IR-19-013
Date : Feb 03, 2020
Risk : 3/5
Impact : Denial of service (DoS)
CVE ID : CVE-2019-17657, CVE-2007-6750
CVE ID : CVE-2019-17657, CVE-2007-6750
CVE ID : CVE-2019-17657, CVE-2007-6750
Summary
An Uncontrolled Resource Consumption vulnerability in multiple products may
allow an attacker to cause web service portal denial of service (DoS) via
handling special crafted HTTP requests/responses in pieces slowly.
Slow HTTP attacks are denial-of-service (DoS) attacks in which the attacker
sends HTTP requests in pieces slowly, one at a time to a Web server. If an HTTP
request is not complete, or if the transfer rate is very low, the server keeps
its resources busy waiting for the rest of the data. When the server's
concurrent connection pool reaches its maximum, this creates a DoS. Slow HTTP
attacks are easy to execute because they require only minimal resources from
the attacker.
Impact
Denial of service (DoS)
Affected Products
The admin webUI of following products/versions are impacted:
FortiOS versions 6.2.2 and below
FortiSwitch versions below 3.6.11, 6.0.6 and 6.2.2
FortiAnalyzer all versions below 6.2.3
FortiManager all versions below 6.2.3
FortiAP-S/W2 versions below 6.2.2
Solutions
The following products/versions have implemented counter-measures:
Upgrade to FortiOS 6.2.3
Upgrade to FortiSwitch 3.6.11, 6.0.6 or 6.2.2
Upgrade to FortiAnalyzer 6.2.3
Upgrade to FortiManager 6.2.3
Upgrade to FortiAP-S/W2 6.2.2
When supported, configuring trust hosts for system administrators is a
workaround, assuming those hosts are trusted to not initiate an attack.
Acknowledgement
Fortinet is pleased to thank Independent research team Denis Kolegov, Maxim
Gorbunov, Nikita Oleksov and Anton Nikolaev for reporting this vulnerability
under responsible disclosure.
References
o https://blog.qualys.com/securitylabs/2011/11/02/
how-to-protect-against-slow-http-attacks
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXjj1nmaOgq3Tt24GAQhSqhAAwtjJeWx8Mjf3TMd4NtWqeKtvzuAK/O86
cTTDNZs7uyGJF8Eg3+ZMHFTv+ZdD4lwrnVn6Lc/nkGe5zogHnikZ5SayWKiKDi3h
nW1+39AsQMf9LXX6gBL0Qtg3mnf68ddh6/KtlQIJXlDAzSZjsxLNL0Fhv9bLR52p
5wmeaPdHKuL8RKGlVt6I6NQRlG82+6ag0MxOJHQTVm5kFIIKD4nUsydepK3S44d1
DoCH12EJVcDwb13gXLUovCiTCEtj6GXvS3wuihVA5PzwD792Wht+mBjul64WMJBD
15HwPoKQcgidTmTNbBf6k3biEHyfm9oFcZqRXQSP9/BAm9ZgY5y6ZeKipX8sdoYr
n9H0OYlpKNPLzFN4LkSxQtXpVquhCz2CzqZ09Bhf4HGY+hWysgjWyrxi2i4CRAd0
wycNwEvUptbrfggBYejJ/qrmzghP6m0sv322BiZfBbXpa7kyVRVjfDXoEK6e+nvO
21Oi8LAUgUskG2lb4Rmr4mFVFtF8+V0HmYzk/jOx5yRrM2hsRsPbbkc95Qy+znYT
hyJc8wfMGt8aaRyO5c9tQVhF2LU+1PlBt3Jvmy5VVzlNp0ll1ResIvOSnKMg7+Dd
xbzrlwXtsN9ScoC/1WB5/nDsuB5XtvVb6l2C2Mddoi6tstjoPXcDfXR5OVEuF5Gr
KRVRY+M3BJ8=
=Z6yR
-----END PGP SIGNATURE-----