Denial-of-Service on management interface

Airlock 4.1 is affected by a denial-of-service (DoS) vulnerability on the management interface: Sending malicious HTTPS requests to the management interface puts Airlock under heavy load or makes the system completely unusable. The risk level has been rated as Medium because an exploit is only possible on the management interface.

The Airlock Configuration Center shows many system monitoring charts to check the system status and history. These images are generated on the fly by a CGI script, and the image size is part of the URL parameter. Unreasonably large values for the width and height parameters will cause excessive resource consumption. Depending on the actual load and the memory available, the system will be out-of-service for some minutes or crash completely, making a reboot necessary.

The malicious requests (HTTPS GET) are interpreted without prior authentication (by design), the URLs can easily be used for an XSRF attack. This allows an attacker to indirectly attack Airlock via the browser of any administrator with HTTPS access to the management interface of Airlock.

A DoS attack may knock out Airlock and make all protected applications unavailable