uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable…
GitHub_M·CWE-20·Published 2020-02-20
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This has been patched in uap-core 0.7.3.
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This has been patched in uap-core 0.7.3.
### Impact Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. ### Patches Please update uap-core to >= v0.7.3 Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes. ### Details Each vulnerable regular expression reported here contains 3 overlapping capture groups. Backtracking has approximately cubic time complexity with respect to the length of the user-agent string. #### Regex 1: ``` \bSmartWatch *\( *([^;]+) *; *([^;]+) *; ``` is vulnerable in portion ` *([^;]+) *` and can be attacked with ```python "SmartWatch(" + (" " * 3500) + "z" ``` e.g. ``` SmartWatch( z ``` #### Regex 2: ``` ; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\d+[^\);]+)[^\);]*\) ``` is vulnerable in portion `\d+[^\);]+[^\);]*` and can be attacked with ```python ";A Build HuaweiA" + ("4" * 3500) + "z" ``` #### Regex 3: ``` (HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(LG)E *; *([^;]*) *;[^;]*;[^;]*;\) ``` is vulnerable in portion ` *([^;]*) *` and can be attacked with ```python "HbbTV/0.0.0 (;LGE;" + (" " * 3500) + "z" ``` #### Regex 4: ``` (HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(?:CUS:([^;]*)|([^;]+)) *; *([^;]*) *;.*; ``` is vulnerable in portions ` *(?:CUS:([^;]*)|([^;]+)) *` and ` *([^;]*) *` and can be attacked with ```python "HbbTV/0.0.0 (;CUS:;" + (" " * 3500) + "z" "HbbTV/0.0.0 (;" + (" " * 3500) + "z" "HbbTV/0.0.0 (;z;" + (" " * 3500) + "z" ``` Reported by Ben Caller @bcaller
### Impact Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. ### Patches Please update uap-core to >= v0.7.3 Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes. ### Details Each vulnerable regular expression reported here contains 3 overlapping capture groups. Backtracking has approximately cubic time complexity with respect to the length of the user-agent string. #### Regex 1: ``` \bSmartWatch *\( *([^;]+) *; *([^;]+) *; ``` is vulnerable in portion ` *([^;]+) *` and can be attacked with ```python "SmartWatch(" + (" " * 3500) + "z" ``` e.g. ``` SmartWatch( z ``` #### Regex 2: ``` ; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\d+[^\);]+)[^\);]*\) ``` is vulnerable in portion `\d+[^\);]+[^\);]*` and can be attacked with ```python ";A Build HuaweiA" + ("4" * 3500) + "z" ``` #### Regex 3: ``` (HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(LG)E *; *([^;]*) *;[^;]*;[^;]*;\) ``` is vulnerable in portion ` *([^;]*) *` and can be attacked with ```python "HbbTV/0.0.0 (;LGE;" + (" " * 3500) + "z" ``` #### Regex 4: ``` (HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(?:CUS:([^;]*)|([^;]+)) *; *([^;]*) *;.*; ``` is vulnerable in portions ` *(?:CUS:([^;]*)|([^;]+)) *` and ` *([^;]*) *` and can be attacked with ```python "HbbTV/0.0.0 (;CUS:;" + (" " * 3500) + "z" "HbbTV/0.0.0 (;" + (" " * 3500) + "z" "HbbTV/0.0.0 (;z;" + (" " * 3500) + "z" ``` Reported by Ben Caller @bcaller
uap-core versiones anteriores a 0.7.3, es vulnerable a un ataque de denegación de servicio cuando se procesan cadenas de User-Agent diseñadas. Algunas expresiones regulares son vulnerables a una denegación de servicio de expresión regular (REDoS) debido a una superposición de grupos de captura. Esto permite a atacantes remotos sobrecargar un servidor mediante la configuración del encabezado User-Agent en una petición HTTP(S) para cadenas largas diseñadas maliciosamente. Esto ha sido parcheado en uap-core versión 0.7.3.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 5.0 | 10.0 | 2.9 | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| 3.1 | Primary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Primary | cve.org | 5.7 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H |
| 3.1 | Primary | cve.org | 5.7 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H |
| 3.1 | Secondary | NVD | 5.7 | 2.1 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H |
| 3.1 | Secondary | GHSA | 5.7 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H |