CVE-2022-37797 Overview
CVE-2022-37797 is a null pointer dereference vulnerability in lighttpd version 1.4.65 that affects the mod_wstunnel module. When the server receives an invalid HTTP request during a websocket handshake, the module fails to properly initialize a handler function pointer. This uninitialized pointer leads to a null pointer dereference, causing the server to crash. Remote attackers can exploit this vulnerability to create a denial of service condition against affected lighttpd installations.
Critical Impact
Remote attackers can crash lighttpd servers without authentication by sending specially crafted invalid websocket handshake requests, causing service disruption for all users relying on the affected web server.
Affected Products
- lighttpd version 1.4.65
- Debian Linux 10.0
Discovery Timeline
- 2022-09-12 - CVE-2022-37797 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-37797
Vulnerability Analysis
This vulnerability stems from improper initialization of function pointers within the mod_wstunnel WebSocket tunneling module. When lighttpd receives a malformed HTTP request that fails websocket handshake validation, the code path responsible for setting up the connection handler does not properly initialize the handler function pointer. Subsequently, when the server attempts to invoke this handler, it dereferences a null pointer, triggering an immediate crash.
The vulnerability is classified as CWE-476 (Null Pointer Dereference). The attack can be executed remotely over the network without requiring any privileges or user interaction, making it particularly dangerous for internet-facing lighttpd deployments using WebSocket functionality.
Root Cause
The root cause lies in the mod_wstunnel module's error handling logic during websocket handshake processing. When an invalid HTTP request is received, the module's control flow bypasses the initialization of a critical handler function pointer. The pointer remains in an uninitialized state (null), and when the server later attempts to execute the handler, the null dereference causes the entire lighttpd process to terminate abnormally.
Attack Vector
The attack vector is network-based, requiring no authentication or special privileges. An attacker simply needs to:
- Establish a TCP connection to the target lighttpd server
- Send a malformed HTTP request that triggers the websocket handshake code path in mod_wstunnel
- The invalid request causes the handler function pointer to remain uninitialized
- When lighttpd attempts to process the request further, it dereferences the null pointer
- The server crashes, resulting in denial of service
The vulnerability can be triggered repeatedly, allowing an attacker to prevent the server from recovering and maintaining persistent denial of service until the attack ceases.
Detection Methods for CVE-2022-37797
Indicators of Compromise
- Unexpected lighttpd server crashes or restarts, particularly when WebSocket functionality is enabled
- Abnormal HTTP requests in server logs preceding crash events
- Malformed websocket handshake requests from unusual source IPs
- Increased volume of connection attempts to WebSocket endpoints
Detection Strategies
- Monitor lighttpd process stability and implement alerting on unexpected terminations
- Analyze HTTP access logs for malformed websocket handshake requests
- Implement network-level inspection for anomalous HTTP request patterns targeting WebSocket endpoints
- Use intrusion detection systems (IDS) to identify repeated connection attempts followed by server crashes
Monitoring Recommendations
- Configure process monitoring to track lighttpd restarts and core dumps
- Enable detailed logging for the mod_wstunnel module if available
- Set up automated alerts for service unavailability
- Monitor network traffic for patterns consistent with DoS attacks targeting websocket endpoints
How to Mitigate CVE-2022-37797
Immediate Actions Required
- Upgrade lighttpd to a patched version newer than 1.4.65
- If upgrading is not immediately possible, consider disabling mod_wstunnel if WebSocket functionality is not required
- Implement rate limiting on incoming connections to mitigate the impact of DoS attempts
- Deploy a web application firewall (WAF) to filter malformed HTTP requests
Patch Information
The lighttpd project has addressed this vulnerability in versions following 1.4.65. Administrators should consult the Lighttpd Issue #3165 for official patch information. Debian users should apply the security updates referenced in Debian DSA-5243 and the Debian LTS Announcement. Gentoo users can reference GLSA 202210-12 for package update guidance.
Workarounds
- Disable the mod_wstunnel module entirely if WebSocket tunneling is not a required feature
- Place lighttpd behind a reverse proxy that can validate HTTP request integrity before forwarding
- Implement network-level access controls to restrict which clients can reach WebSocket endpoints
- Use connection rate limiting to reduce the effectiveness of DoS attacks
# Disable mod_wstunnel in lighttpd configuration
# Edit /etc/lighttpd/lighttpd.conf and comment out or remove:
# server.modules += ( "mod_wstunnel" )
# Restart lighttpd to apply changes
systemctl restart lighttpd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
