Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for CVE-2018-12122 on Node 6.15.0 does not reset headersTimeout on keep-alive requests #24760

Closed
pracucci opened this issue Nov 30, 2018 · 3 comments
Closed

Fix for CVE-2018-12122 on Node 6.15.0 does not reset headersTimeout on keep-alive requests #24760

pracucci opened this issue Nov 30, 2018 · 3 comments
Labels
http Issues or PRs related to the http subsystem.

Comments

@pracucci
Copy link

  • Version: v6.15.0
  • Platform: Darwin Marco-13-2017.local 17.5.0 Darwin Kernel Version 17.5.0: Mon Mar 5 22:24:32 PST 2018; root:xnu-4570.51.1~1/RELEASE_X86_64 x86_64
  • Subsystem: http

The fix for CVE-2018-12122 in Node 6.15.0 looks is not resetting the headersTimeout clock once the full request headers have been received and this cause the socket to be destroyed after headersTimeout in a keep-alive connection.

I'm not familiar with node sources but looking at the commit by @mcollina to backport the fix to node 6.15.0 I've the feeling that parser.parsingHeadersStart is never set to 0 once the request headers have been received.

However, looking at the commit to fix the same issue in node 8.14.0, the parsingHeadersStart is reset to zero in parserOnIncoming().

How to reproduce the issue

  1. Create an http server with node 6.15.0 and lower headersTimeout to get a faster test
const http = require("http");

const server = http.createServer((req, res) => {
    res.writeHead(200);
    res.end();
});

server.headersTimeout = 10000;
server.keepAliveTimeout = 60000;

server.listen(4050);

  1. Connect to the server with telnet localhost 4050

  2. Send the first request

GET / HTTP/1.1
Connection: keep-alive
  1. Wait a bit more than 10 seconds and then send a second request
GET / HTTP/1.1
Connection: keep-alive

The connection will be closed right after sending the first line of the second HTTP request
@Fishrock123 Fishrock123 added the http Issues or PRs related to the http subsystem. label Nov 30, 2018
@hohokus
Copy link

hohokus commented Nov 30, 2018

I am seeing exactly the same. Originally appeared as an intermittent "502 Proxy Error" (we have Apache sitting in front of Node), but your telnet reproduce works 100%. Thanks!

@mcollina mcollina mentioned this issue Dec 3, 2018
Closed
3 tasks
rvagg pushed a commit that referenced this issue Dec 3, 2018
@mcollina @rvagg
http: fix backport of Slowris headers
0b9ee5f 
The backport of 618eebdd17 was
not complete, and the starting time to parse the headers was not reset.

Fixes: #24760
@rvagg rvagg mentioned this issue Dec 3, 2018
Merged
mcollina added a commit to mcollina/node that referenced this issue Dec 3, 2018
@mcollina
http: fix backport of Slowloris headers
4341817 
The backport of nodejs@618eebdd17 was
not complete, and the starting time to parse the headers was not reset.

Fixes: nodejs#24760
rvagg pushed a commit that referenced this issue Dec 3, 2018
@mcollina @rvagg
http: fix backport of Slowloris headers
5d9005c 
The backport of 618eebdd17 was
not complete, and the starting time to parse the headers was not reset.

PR-URL: #24796
Fixes: #24760
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
rvagg added a commit that referenced this issue Dec 3, 2018
@rvagg
2018-12-03, Version 6.15.1 'Boron' (LTS)
cde6450 
Notable Changes:

This is a patch release to address a bad backport of the fix for "Slowloris
HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
timeout to an entire keep-alive HTTP session, resulting in prematurely
disconnected sockets.

PR-URL: #24803
Refs: #24796
Refs: #24760
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
rvagg added a commit that referenced this issue Dec 3, 2018
@rvagg
2018-12-03, Version 6.15.1 'Boron' (LTS)
dbdc908 
Notable Changes:

This is a patch release to address a bad backport of the fix for "Slowloris
HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
timeout to an entire keep-alive HTTP session, resulting in prematurely
disconnected sockets.

PR-URL: #24803
Refs: #24796
Refs: #24760
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
@pracucci
Copy link
Author

pracucci commented Dec 3, 2018

The PR #24796 - landed in Node 6.15.1 - fixes this. Thanks @mcollina !

@pracucci pracucci closed this as completed Dec 3, 2018
@kangman kangman mentioned this issue Dec 6, 2018
Closed
refack pushed a commit to refack/node that referenced this issue Jan 14, 2019
@rvagg @refack
2018-12-03, Version 6.15.1 'Boron' (LTS)
9017716 
Notable Changes:

This is a patch release to address a bad backport of the fix for "Slowloris
HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
timeout to an entire keep-alive HTTP session, resulting in prematurely
disconnected sockets.

PR-URL: nodejs#24803
Refs: nodejs#24796
Refs: nodejs#24760
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
@tianjianchn
Copy link

Using node-fetch to request the node 6.15.0 server, sometimes the request end with 'socket hang up' immediately. Thanks for the fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
http Issues or PRs related to the http subsystem.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Fishrock123 @pracucci @tianjianchn @hohokus