CVE-2020-25691 – A denial-of-service vulnerability in darkhttpd ... (How to Fix)

Q: What is the severity of CVE-2020-25691?

CVE-2020-25691 has a CVSS score of 7.5 (HIGH). A denial-of-service vulnerability in darkhttpd allows remote attackers to crash the server by accessing files with large modification dates. This affects all systems running vulnerable versions of darkhttpd web server. The flaw is in error handling when processing file timestamps.

📋 TL;DR

A denial-of-service vulnerability in darkhttpd allows remote attackers to crash the server by accessing files with large modification dates. This affects all systems running vulnerable versions of darkhttpd web server. The flaw is in error handling when processing file timestamps.

💻 Affected Systems

Products:

darkhttpd

Versions: All versions prior to 1.13

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Any darkhttpd instance serving files is vulnerable regardless of configuration.

📦 What is this software?

Darkhttpd by Unix4lyfe

View all CVEs affecting Darkhttpd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption with darkhttpd crashing and requiring manual restart, potentially affecting all hosted websites.

🟠

Likely Case

Temporary service interruption until the server is restarted, with possible data loss for in-progress connections.

🟢

If Mitigated

Minimal impact if server is behind load balancer with health checks and auto-restart capabilities.

🌐 Internet-Facing: HIGH - darkhttpd is typically used as a lightweight web server exposed to the internet.

🏢 Internal Only: MEDIUM - Internal services could be disrupted but typically have faster recovery options.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP GET requests to files with crafted timestamps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.13 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1893725

Restart Required: Yes

Instructions:

1. Download darkhttpd 1.13 or later from official repository. 2. Stop current darkhttpd service. 3. Install updated version. 4. Restart darkhttpd service.

🔧 Temporary Workarounds

File timestamp monitoring

linux

Monitor and restrict files with unusual modification dates from being served

find /var/www -type f -mtime +10000 -exec chmod 000 {} \;
crontab -e: 0 * * * * find /var/www -type f -mtime +10000 -exec rm {} \;

🧯 If You Can't Patch

Implement reverse proxy with request filtering to block suspicious file requests
Use monitoring with automatic restart scripts to minimize downtime

🔍 How to Verify

Check if Vulnerable:

Check darkhttpd version: darkhttpd --version | grep -q '1\.1[0-2]\|1\.0' && echo 'VULNERABLE'

Check Version:

darkhttpd --version

Verify Fix Applied:

Verify version is 1.13 or higher: darkhttpd --version

📡 Detection & Monitoring

Log Indicators:

Server crash logs
Abnormal termination messages in systemd/journalctl
Multiple failed requests to files with unusual paths

Network Indicators:

Sudden drop in HTTP responses
Increased 5xx errors from load balancer

SIEM Query:

source="darkhttpd.log" AND ("segmentation fault" OR "crash" OR "abnormal termination")

📊 Metadata

CVE ID: CVE-2020-25691

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-755

Published: April 1, 2022

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1893725 Issue Tracking,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1893725 Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25691, you might also want to check these: