Outsystems Platform Server Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Outsystems Platform Server version 11.18.1.37828. This issue allows attackers to disrupt service by sending crafted HTTP POST requests with a content-length header that does not match the actual body length. The server hangs indefinitely, failing to process the request properly. This vulnerability affects all components of the Outsystems platform, including APIs, the user dashboard, and the underlying web server.

Impact

Exploitation of this vulnerability leads to a low-and-slow denial-of-service condition, where the server becomes unresponsive due to excessive resource consumption from multiple active connections. This disruption can affect all applications deployed on Outsystems Platform Server with the default IIS web server configuration.

Reproduction

The vulnerability can be reproduced by sending HTTP POST requests with a manipulated content-length header that exceeds the actual body length. This can be done using tools like 'slowhttptest', which simulates a R.U.D.Y (R U Dead Yet) attack by keeping numerous connections open while sending data slowly, effectively exhausting the server's resources.

Remediation

No official patch is available yet, but some hotfixes can be applied. These include configuring a hard timeout to close lingering TCP and HTTP sessions after a reasonable period, setting a maximum limit on concurrent connections from a single source, and implementing general measures to prevent brute-force attacks.