Join the community today
Register Now

Security ModSecurity OWASP Core Ruleset Security Vulnerabilities Leading To DDOS Attacks

Discussion in 'System Administration' started by eva2000, May 1, 2019.

  1. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,197
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,805
    Local Time:
    11:38 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    It seems unpatched vulnerabilities in ModSecurity’s OWASP Core Rule Set can potentially open up web servers to denial-of-service (DoS) attacks known as ReDoS attacks.

    Details:
    The ModSecurity OWASP CRS CVEs and if you want to follow the discussions of issues reported by s0md3v who I believe is the one who reported the vulnerabilities ?
    Centmin Mod doesn't use ModSecurity WAF Firewall by default but Centmin Mod 123.09beta01 has been preparing for optional ModSecurity v3 Nginx Connector support to support a WAF Firewall setup for ages and Centmin Mod's implementation also relies on ModSecurity's OWASP Core Rule Set and uses the current OWASP CRS v3.1.0 which is unpatched for these vulnerabilities. So once OWASP CRS updated release version is available, I will update Centmin Mod 123.09beta01 for the new version. So always run Centmin Mod update command = cmupdate before recompiling/updating Nginx via centmin.sh menu option 4 to ensure you have latest versions/code and when you have set NGINX_MODSECURITY='y' in persistent config file /etc/centminmod/custom_config.inc prior to centmin.sh menu option 4 nginx recompiles, Centmin Mod ModSecurity routine will auto update your OWASP CRS configuration to the latest version with the patches.

     
  2. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,197
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,805
    Local Time:
    11:38 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Hmm so ModSecurity v3 didn't implement PCRE limits like they did in ModSecurity v2 https://coreruleset.org/20190425/regular-expression-dos-weaknesses-in-crs/ and discussed in Set match_limit and match_limit_recursion values to regex variables by airween · Pull Request #2071 · SpiderLabs/ModSecurity !

    But looks like Centmin Mod's ModSecurity v3 Nginx connector module implementation has room for improvement by recompiling with PCRE limits ! :D

    Though not as simple it seems from Set match_limit and match_limit_recursion values to regex variables by airween · Pull Request #2071 · SpiderLabs/ModSecurity
    and Set match_limit and match_limit_recursion values to regex variables by airween · Pull Request #2071 · SpiderLabs/ModSecurity
     
  3. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,197
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,805
    Local Time:
    11:38 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Taking my own advice outlined at https://community.centminmod.com/threads/how-to-keep-informed-of-centmin-mod-related-updates.11443/ and using custom Slack channel to follow OWASP Core Rule Set github repo for changes and new release updates at SpiderLabs/owasp-modsecurity-crs.

    So everytime a new OWASP CRS release is made or new issue is posted, I'll get a notification in my custom Slack Channel :)

    As you can see I monitor a lot of Github repos. You can do the same with Centmin Mod's Github repo centminmod/centminmod :D

    slack-owasp-crs-repo-01.png
     
  4. eva2000

    eva2000 Administrator Staff Member

    44,731
    10,197
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,805
    Local Time:
    11:38 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Fix for ReDOS attack is out now Announcement: OWASP ModSecurity Core Rule Set Version 3.1.1 – OWASP ModSecurity Core Rule Set

    Centmin Mod 123.09beta01 will be updated with OWASP modsecurity ruleset 3.1.1 within the next few minutes