Recursive HTTP pipeline pre-fetch can cause memory regulation (CVE-2013-5959)
When ProxySG appliance forward or reverse proxy of HTTP traffic is enabled, some web sites can cause the system to enter memory regulation due to high number of HTTP RW pipeline pre-fetch requests, resulting in slow, dropped or blocked connections and/or a system crash/reboot. This can effectively be deemed a denial-of-service (DoS) attack.
All SGOS versions prior to 6.5.2 except version 126.96.36.199 are vulnerable in both forward and reverse proxy modes. This has no impact on Management Console, Command Line Interface (CLI), or administrative functions.
This issue highlights memory exhaustion and/or pipeline overload due to the high number of HTTP RW pipeline pre-fetch requests from some web sites. This can effectively be deemed a denial-of-service (DoS) attack and can be triggered remotely by distributing spam email or similar mechanisms where the target user clicks through to a site that can trigger the memory regulation issue. Due to the nature of the issue, this is assessed as high severity.
Sites with high number of recursively embedded HREFs in the HTML can quickly cause one of the following scenarios:
- Memory regulation and/or crash/reboot when unlimited retrieval workers are allowed on the ProxySG and a large number of retrieval workers are created.
- Crash/reboot when retrieval workers are constrained on the proxy and a large number of retrieval workers are created.
- Random HTTP response delays in less severe cases.
The workaround is to disable pipelining on this traffic. To disable pipelining, select Configuration > Proxy Settings > HTTP Proxy > Acceleration in the Management Console. Under Acceleration Settings, clear the checkboxes beside the following options:
- Pipeline embedded objects client request
- Pipeline redirects for client request
- Pipeline embedded objects in prefetch request
- Pipeline redirects for prefetch request
Click Apply to save your changes.
The associated CLI commands to disable pipelining are as follows:
http no pipeline client requests
http no pipeline client redirects
http no pipeline prefetch requests
http no pipeline prefetch redirects
Refer to the SGOS Administration Guide for your version of SGOS for details: https://bto.bluecoat.com/documentation/pubs/ProxySG
Where the fix is available, SGOS sets a maximum prefetching memory allocation size. This forces a timeout and retry when there are too many requests for HTTP proxy services. The fix is available to customers with a valid BlueTouch Online login.
SGOS 6.5 – A fix is available in 6.5.2.
SGOS 6.4 – A fix is available in 188.8.131.52.
SGOS 6.3 – A fix is available in 184.108.40.206.
SGOS 6.2 – A fix is available in 220.127.116.11.
SGOS 6.1 – A fix will not be provided. Please upgrade to a later version with the vulnerability fix.
SGOS 5.5 – A fix is available in 18.104.22.168.
SGOS 5.4 – A fix is available in 22.214.171.124, which is a patch release. The fix is available on the patch release page.
SGOS 5.3 and earlier – Please upgrade to a later version.
NOTE: To download an SGOS release with the fix, go to https://bto.bluecoat.com and click the Downloads tab. Select ProxySG and browse to the appropriate hardware model/software version that you require.
2015-01-27 A fix will not be provided in 6.1.x. Marking as Final.
2014-05- Updated fix information for 6.3.x and 5.5.x and made minor revisions.
2013-11-29 Updated patch information for 6.4.x.
2013-11-11 Corrected links.
2013-10-14 Updated workaround.
2013-10-04 Updated details and workaround.
2013-10-01 Edited with new workaround.
2013-10-01 Edited with new CVE number.
2013-09-24 Initial public release.