CVE-2023-38285
📋 TL;DR
CVE-2023-38285 is a denial-of-service vulnerability in Trustwave ModSecurity 3.x caused by inefficient algorithmic complexity in four transformation functions. Attackers can exploit this by sending specially crafted requests that trigger excessive CPU consumption, potentially crashing the web application firewall. Organizations using ModSecurity 3.x before version 3.0.10 are affected.
💻 Affected Systems
- Trustwave ModSecurity
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption as ModSecurity consumes all available CPU resources, causing web server unavailability and potential cascading failures in dependent services.
Likely Case
Degraded web application performance or intermittent outages due to CPU exhaustion, leading to service degradation and potential business impact.
If Mitigated
Minimal impact with proper rate limiting, resource monitoring, and updated versions, though some performance degradation may still occur during attack attempts.
🎯 Exploit Status
Exploitation requires sending HTTP requests that trigger the vulnerable transformation functions. The vulnerability is simple to exploit with publicly available details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.10
Vendor Advisory: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
Restart Required: Yes
Instructions:
1. Download ModSecurity 3.0.10 or later from official sources. 2. Stop the web server/service. 3. Replace the existing ModSecurity library with the patched version. 4. Restart the web server/service. 5. Verify the version is 3.0.10 or higher.
🔧 Temporary Workarounds
Disable vulnerable transformations
allRemove or disable the four vulnerable transformation functions from ModSecurity rules: base64Decode, base64Encode, cmdLine, and compressWhitespace.
# Edit ModSecurity configuration files and remove/comment out rules using these transformations
Implement rate limiting
linuxConfigure web server or WAF rate limiting to restrict request frequency and prevent exploitation attempts.
# Example for nginx: limit_req_zone $binary_remote_addr zone=modsec:10m rate=10r/s;
# Add 'limit_req zone=modsec burst=20 nodelay;' to location blocks
🧯 If You Can't Patch
- Implement strict rate limiting at the network perimeter or load balancer level to block excessive requests.
- Monitor CPU usage and set up alerts for abnormal spikes that could indicate exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check ModSecurity version using 'modsecurity -v' or examine web server logs for ModSecurity version information. If version is below 3.0.10, the system is vulnerable.Check Version:
modsecurity -vVerify Fix Applied:
After patching, verify the version is 3.0.10 or higher using 'modsecurity -v' and test with sample requests that previously triggered the vulnerability.📡 Detection & Monitoring
Log Indicators:
- Sudden spikes in CPU usage by web server processes
- ModSecurity error logs showing transformation function failures
- Increased request processing times
Network Indicators:
- Unusually high volume of requests to endpoints using transformation functions
- Requests with specially crafted payloads targeting base64 or whitespace transformations
SIEM Query:
source="modsecurity.log" AND ("base64Decode" OR "base64Encode" OR "cmdLine" OR "compressWhitespace") AND status=500🔗 References
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
- https://www.trustwave.com/en-us/resources/security-resources/software-updates/end-of-sale-and-trustwave-support-for-modsecurity-web-application-firewall/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
- https://www.trustwave.com/en-us/resources/security-resources/software-updates/end-of-sale-and-trustwave-support-for-modsecurity-web-application-firewall/
