Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 10 Jan 2019 18:53:47 +0100
From: X41 D-Sec GmbH Advisories <>
Subject: X41 D-Sec GmbH Security Advisory X41-2018-009: ReDoS Vulnerability in

Hash: SHA256

X41 D-SEC GmbH Security Advisory: X41-2018-009

ReDoS Vulnerability in UA-Parser
Severity Rating: Medium
Confirmed Affected Versions: 2015-05-14 and newer, commit
Confirmed Patched Versions: v0.6.0 released 2018-12-14, commit
Vendor: UA-Parser Project
Vendor URL:
Vector: HTTP request
Credit: X41 D-SEC GmbH, Luc Gommans
Status: Public
CVE: CVE-2018-20164
CVSSv3 Score: 5.3
CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary and Impact
The programming library UA-Parser uses regular expressions to identify
user agent strings. The complexity of some of the regular expressions
is such that an attacker can craft special patterns that keep the
server busy for a long time. By sending many requests in short order,
an attacker can exhaust the amount of processing power available. This
causes the website to become unavailable for legitimate visitors.

In common setups, the user agent string is parsed whenever a page is
visited. This means that anyone can abuse the bug, typically without
authentication. There are no common circumstances which would prevent
an attack from working reliably, i.e. an attacker can consistently and
repeatedly exploit the issue until the site has become unreachable.
For more information on regular expression-based denial of service,
see the OWASP page on ReDoS:

The UA-Parser project consists of a core repository, uap-core, and
implementations in various languages. The regular expressions are
defined in the core project and each implementation is automatically

Product Description
When a user agent (such as a browser) connects to a website, it
identifies itself with a 'user agent string'. This string helps the
server determine relevant content, for example to serve the
appropriate installer for visitors with different operating systems.
The UA-Parser project collects regular expressions that extract the
type of device and operating system from these strings.
Implementations in different languages are automatically vulnerable,
including the reference implementation in JavaScript:

Proof of Concept
There are multiple vulnerable regular expressions. They are collected
in the file regex.yaml, for example on lines 911 and 4961. The regular
expression on line 911 is as follows:

   (x86_64|aarch64)\ (\d+)+\.(\d+)+\.(\d+)+.*Chrome.*(?:CitrixChromeApp)$

Any implementation using this library will hang for a few seconds (on
comodity hardware) when sending the following HTTP request:

    GET / HTTP/1.0
    User-Agent: x86_64 1111111111111111111111111111

Normal user agent strings can be over a hundred bytes long: this
string of 35 bytes is not an abnormal request. Adding one more byte
makes the processing significantly longer.
This particular regular expression was introduced in September 2018. The
regular expression on line 4961 was introduced in May 2015 and can be
exploited as follows:

    GET / HTTP/1.0

Each additional repetition of SW-Version/1; will multiply the
processing time by roughly a factor 6.2. Where eleven repetitions take
about seven seconds, fourteen repetitions already occupy a server for
half an hour.

As demonstrated, the input does not have to be particularly long to
exploit the issue. This may be the case, and a few hundred kilobytes
may slow down most regular expressions, but limiting the maximum
length is not a solution by itself.
The root cause is the regular expression, which should be limited in
complexity. This involves manual work and there is no solution that
can be applied to all regular expressions in the project.

To aid in identifying problematic regular expressions, one may use
projects such as <>.

2018-11-26 Issue found.
2018-11-29 Permission from customer to disclose to upstream.
2018-11-29 Requested secure channel from vendor for communication.
2018-12-04 Disclosed to vendor.
2018-12-14 Patch released by vendor, CVE number requested.
2018-12-15 CVE-2018-20164 assigned.
2019-01-10 Advisory released.

About X41 D-SEC GmbH
X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are
security-oriented code reviews, binary reverse engineering, and
vulnerability discovery. Custom research, IT security consulting, and
support services are core competencies of X41.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.