Impact
By using specific a RegularExpression an attacker can cause denial of service for the bbb-html5 service.
The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). Attackers can abuse this to perform a denial of service by sending a specially-constructed regular expression which triggers excessive processing within the regular expression engine.
Patches
Given the limited use of the html5client/useragent endpoint, we have opted to remove it from the code altogether. Its use for Legacy client checks has transitioned to using a different library months ago. BigBlueButton's documentation has been updated to point to a different online service to find one's user agent.
Patch in BigBlueButton 2.3.19
Patch in BigBlueButton 2.4.7
Patch in BigBlueButton 2.5.0-beta.2
Workarounds
If you are not able to upgrade to a patched version, you can eliminate the attack surface by disabling NginX forwarding the requests to the handler. Add the following block to your NginX configuration.
location /html5client/useragent {
return 404;
}
For BigBlueButton 2.3 or 2.4 a good place to add this block would be in /etc/bigbluebutton/nginx/
For BigBlueButton 2.5 a good place to add this block would be in /usr/share/bigbluebutton/nginx/
Reload via sudo systemctl reload nginx
Test this change by navigating to <yourserver.com>/html5client/useragent -- if you see 404, the workaround is active.
For more information
If you have any questions or comments about this advisory:
Credits
We would like to thank Giang. Võ Quý from VNG Corporation for responsibly disclosing and assisting with the fixing of this security issue.
Impact
By using specific a RegularExpression an attacker can cause denial of service for the bbb-html5 service.
The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). Attackers can abuse this to perform a denial of service by sending a specially-constructed regular expression which triggers excessive processing within the regular expression engine.
Patches
Given the limited use of the
html5client/useragentendpoint, we have opted to remove it from the code altogether. Its use for Legacy client checks has transitioned to using a different library months ago. BigBlueButton's documentation has been updated to point to a different online service to find one's user agent.Patch in BigBlueButton 2.3.19
Patch in BigBlueButton 2.4.7
Patch in BigBlueButton 2.5.0-beta.2
Workarounds
If you are not able to upgrade to a patched version, you can eliminate the attack surface by disabling NginX forwarding the requests to the handler. Add the following block to your NginX configuration.
For BigBlueButton 2.3 or 2.4 a good place to add this block would be in
/etc/bigbluebutton/nginx/For BigBlueButton 2.5 a good place to add this block would be in
/usr/share/bigbluebutton/nginx/Reload via
sudo systemctl reload nginxTest this change by navigating to
<yourserver.com>/html5client/useragent-- if you see 404, the workaround is active.For more information
If you have any questions or comments about this advisory:
Credits
We would like to thank Giang. Võ Quý from VNG Corporation for responsibly disclosing and assisting with the fixing of this security issue.