The OWASP ModSecurity Core Rule Set (CRS) team has identified a Denial of Service vulnerability in the underlying ModSecurity engine. This affects all releases in the ModSecurity v3 release line. The vendor Trustwave Spiderlabs did not release an update yet. However, we are providing users with a patch for ModSecurity and a workaround if they can not patch. Likewise, we are coordinating the patching with the Linux distributors.
This blog post tries to give you a comprehensive overview of the problem with all the resources you need to cope with the situation.
This is what you will find here:
Official Advisory for CVE-2020-15598- Video of the PoC
- Description of the Problem
- Patch for ModSecurity 3.0.4
- A (limited) Workaround for CRS3
- Timeline of Our Conversation With the ModSecurity Vendor Trustwave Spiderlabs
- Links to Resources
Official Advisory for CVE-2020-15598ModSecurity v3.0.x is affected by a Denial of Service vulnerability due to the global matching of regular expressions. The combination of a non-anchored regular expression and the ModSecurity “capture” action can be exploited via a specially crafted payload.
While ModSecurity v2.x used to quit the execution of a regular expression after the first match. ModSecurity v3.0.x silently changed the behavior to global matching. This results in a DoS for existing non-anchored regexes containing the “capture” action. It also fills the TX variable space beyond the documented limit of 10 instances. The defense is handicapped due to the absence of the SecRequestBodyNoFilesLimit directive. The vendor Trustwave Spiderlabs dropped this functionality for ModSecurity v3.
The vendor did not publish a new release, but there is a patch that brings back the former behavior.
Read the full article @
https://coreruleset.org/20200914/cve-2020-15598/