X41 D-SEC GmbH Security Advisory: X41-2018-009
Severity Rating: Medium
Confirmed Affected Versions: 2015-05-14 and newer, commit 6fd6c261274254bcbbacd77ef4b12534c7f9923d
Confirmed Patched Versions: v0.6.0 released 2018-12-14, commit 010ccdc7303546cd22b9da687c29f4a996990014
Vendor: UA-Parser Project
Vendor URL: https://github.com/ua-parser
Vector: HTTP request
Credit: X41 D-SEC GmbH, Luc Gommans
CVSSv3 Score: 5.3
CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
The programming library UA-Parser uses regular expressions to identify user agent strings. The complexity of some of the regular expressions is such that an attacker can craft special patterns that keep the server busy for a long time. By sending many requests in short order, an attacker can exhaust the amount of processing power available. This causes the website to become unavailable for legitimate visitors.
In common setups, the user agent string is parsed whenever a page is visited. This means that anyone can abuse the bug, typically without authentication. There are no common circumstances which would prevent an attack from working reliably, i.e. an attacker can consistently and repeatedly exploit the issue until the site has become unreachable.
For more information on regular expression-based denial of service, see the OWASP page on ReDoS: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
The UA-Parser project consists of a core repository, uap-core, and implementations in various languages. The regular expressions are defined in the core project and each implementation is automatically vulnerable.
There are multiple vulnerable regular expressions. They are collected in the
regex.yaml, for example on lines 911 and 4961. The regular expression
on line 911 is as follows:
Any implementation using this library will hang for a few seconds (on comodity hardware) when sending the following HTTP request:
GET / HTTP/1.0 User-Agent: x86_64 1111111111111111111111111111
Normal user agent strings can be over a hundred bytes long: this string of 35 bytes is not an abnormal request. Adding one more byte makes the processing significantly longer.
This particular regular expression was introduced in September 2018. The regular expression on line 4961 was introduced in May 2015 and can be exploited as follows:
GET / HTTP/1.0 User-Agent: HbbTV/1.1.1CE-HTML/1.1;THOM;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;LF
Each additional repetition of
SW-Version/1; will multiply the processing time
by roughly a factor 6.2. Where eleven repetitions take about seven seconds,
fourteen repetitions already occupy a server for half an hour.
As demonstrated, the input does not have to be particularly long to exploit the issue. This may be the case, and a few hundred kilobytes may slow down most regular expressions, but limiting the maximum length is not a solution by itself.
The root cause is the regular expression, which should be limited in complexity. This involves manual work and there is no solution that can be applied to all regular expressions in the project.
To aid in identifying problematic regular expressions, one may use projects such as https://github.com/jagracey/RegEx-DoS.
2018-11-26 Issue found.
2018-11-29 Permission from customer to disclose to upstream.
2018-11-29 Requested secure channel from vendor for communication.
2018-12-04 Disclosed to vendor.
2018-12-14 Patch released by vendor, CVE number requested.
2018-12-15 CVE-2018-20164 assigned.
2019-01-10 Advisory released.
X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security-oriented code reviews, binary reverse engineering, and vulnerability discovery. Custom research, IT security consulting, and support services are core competencies of X41.