ModSecurity Libmodsecurity Buffer Overflow Vulnerability in Hex Decode Transformation

A buffer overflow vulnerability has been identified in libmodsecurity, a component of the ModSecurity v3 project. This issue arises when a rule using the 't:hexDecode' transformation inspects a query string parameter containing a single character, leading to a segmentation fault. An attacker can exploit this vulnerability to crash worker processes, causing a denial-of-service condition. All versions of libmodsecurity prior to 3.0.15 are affected. The issue has been patched in version 3.0.15.

Impact

Exploitation of this vulnerability causes a segmentation fault, crashing all worker processes. This denial-of-service condition leaves no available worker processes for legitimate users. However, service resumes once the attack stops, as the worker processes recover from the segmentation fault.

Reproduction

To reproduce this vulnerability, create a rule that uses the 't:hexDecode' transformation to inspect query string parameters. Then, send a request with a query string containing a single character. The server will experience a segmentation fault, crashing the worker process. This can be automated with a simple bash script that repeatedly sends the vulnerable request.

Remediation

Users can upgrade to libmodsecurity version 3.0.15 or later to address this vulnerability.