NISCC
Vulnerability Advisory 403518/NISCC/APACHE
Vulnerability Issues with the Apache Web Server
Version Information
|
Advisory Reference |
403518/NISCC/APACHE |
|
Release Date |
15 September 2004 |
|
Last Revision |
15 |
|
Version Number |
1.0 |
What is Affected?
The vulnerabilities described in this advisory affects the Apache 2.0.x web server
software (please note that all versions of Apache 1.3.x are unaffected).
Severity
The severity of the vulnerabilities varies by vendor; however if exploited, the
vulnerabilities could allow an attacker to execute arbitrary code on the
systems or lead to possible privilege escalation.
Summary
Two vulnerabilities have been discovered within the Apache 2.0.x web server by
two separate research parties; one by the Apache
Software Foundation and Red Hat Security teams, using the
HTTP Test Tool supplied by Codenomicon and one by the Swedish IT Incident
Centre within the National Post and Telecom Agency (SITIC).
Apache
is the most popular web server on the Internet since April of 1996 and is
available on both UNIX and Windows platforms. The two vulnerabilities that were
identified are as follows:
1.
Through the testing of Apache by using the Codenomicon HTTP Test Tool, the ASF
Security Team has discovered a bug in the apr-util library, which can lead to
arbitrary code execution.
2.
SITIC have discovered that Apache suffers from a buffer overflow when expanding
environment variables in configuration files such as .htaccess and httpd.conf,
leading to possible privilege escalation.
All
users of Apache that are affected by these vulnerabilities are recommended to
take note of this advisory and carry out any remedial actions suggested by
their vendor(s).
Details
Apache is maintained by the Apache Project,
which is a collaborative software development effort. The project is jointly
managed by a group of volunteers located around the world, using the Internet
and the Web to communicate, plan, and develop the server and its related
documentation. These volunteers are known as the Apache Group.
Vendor
specific information will be released as it becomes available and if vendor permission
has been received. Subscribers are advised to check the following URL regularly
for updates:
http://www.uniras.gov.uk/vuls/2004/403518/index.htm
[Please note that updates to this advisory will not be notified by email.]
Vulnerability
1:
The
identified vulnerability is in the apr-util library; the apr_uri_parse function
in the apr-util library lacks input validation on IPv6 literal addresses, which
can result in a negative length parameter being passed to memcpy. By carefully
crafting URLs that includes IPv6 literal addresses in the Request-URI or Host
header, it could be possible to use these URLs to trigger the problem via
httpd.
Although
with most platforms this vulnerability will not lead to arbitrary code
execution, it is possible to exploit it under the following circumstances:
On
BSD distributions it may be exploitable because the implementation of memcpy
will write three arbitrary bytes to an attacker controlled location; however
this will not be trivial.
It
may be exploitable on any platform if the optional (and not default)
AP_ENABLE_EXCEPTION_HOOK define is enabled. This is used for example by the
experimental "mod_whatkilledus" module.
This
vulnerability has been assigned the CVE
name CAN-2004-0786.
Vulnerability
2:
The
buffer overflow occurs when expanding ${ENVVAR} constructs in .htaccess or
httpd.conf files. The function ap_resolve_env() in server/util.c copies data
from the environment variables to the character array tmp with strcat(3),
leading to a buffer overflow and hence possible privilege escalation.
HTTP
requests that exploit this problem are not shown in the access log, although
the error log will show Segmentation faults.
However
for this vulnerability to be exploited, an attacker must first induce a normal
user to install the malicious configuration files onto their servers before an
exploit can take place.
This
vulnerability has been assigned the CVE
name CAN-2004-0747.
Mitigation
Patch all affected implementations.
Solution
For Apache 2.0.* there is an official fix available for both issues. Also fixes
for both issues will be incorporated into Apache 2.0.51.
However
platform vendors may issue their own patches, hence please also refer to the
Vendor Information section of this advisory for platform specific remediation.
Vendor Information
The following vendors have provided information about how their products are
affected by these vulnerabilities.
Please note that JPCERT/CC have released a Japanese language
advisory for this vulnerability which contains additional information regarding
Japanese vendors. This advisory is available at http://jvn.jp/niscc/NISCC-403518.html.
|
|
|
|
|
|
|
|
|
|
|
|
| Hitachi | ||
|
Juniper Networks |
||
|
Oracle |
||
| Red Hat | ||
| SUSE LINUX |
|
|
These issues will be addressed in an upcoming release of the Apache HTTP Server, expected to be version 2.0.51. Individual patches for these issues are also available from: |
|
|
Cisco Systems is evaluating the vulnerabilities identified by NISCC
#403518. Should an issue be found, Cisco will release a Security Advisory.
The most up-to-date information on all Cisco product security issues may be
found at: |
|
|
Not vulnerable (still under examination). For further information please see: http://software.fujitsu.com/jp/security/niscc/niscc.html#403518-Apache. |
|
|
Hitachi products are NOT affected by this issue. |
|
|
Juniper Networks products are not susceptible to this vulnerability. |
|
|
Source: Oracle is not vulnerable to this vulnerability. |
|
|
Red Hat Enterprise Linux 3 contains a httpd package which is vulnerable to these issues. As these issues only cause an Apache child process to crash, for the default processing model these issues do not constitute a denial of service. New httpd packages will be available along with our advisory at the URL below or by using the Red Hat Network 'up2date' tool. http://rhn.redhat.com/errata/RHSA-2004-463.html |
|
|
SUSE LINUX will release updates to Apache at the following URL: |
Acknowledgements
NISCC wishes to thank the following:
|
• |
The Apache Software Foundation and Red
Hat Security Teams for their
contributions to this advisory. |
|
• |
The Swedish IT Incident
Centre for their contributions to this advisory. |
|
• |
JPCERT/CC for their assistance
in co-ordinating this disclosure in |
References
|
|
Apache Links |
||
|
|
|
The Apache Software
Foundation |
|
|
|
|
|
|
|
|
Vulnerability
Databases |
||
|
|
|
Common Vulnerabilities
and Exposures (CVE) |
|
|
|
|
|
|
|
|
|
|
|
Contact Information
The NISCC Vulnerability Management Team can be contacted as follows:
|
Email |
vulteam@niscc.gov.uk |
|
Telephone |
+44 (0)870 487 0748
Extension 4511 |
|
Fax |
+44 (0)870 487 0749 |
|
Post |
Vulnerability Management
Team |
We encourage those who wish to communicate via email to make use of our PGP
key. This is available from http://www.uniras.gov.uk/UNIRAS.asc.
Please note that
If you wish to be added to our email distribution list, please email your
request to uniras@niscc.gov.uk.
What is NISCC?
For further information regarding the UK National Infrastructure Security
Co-Ordination Centre, please visit the NISCC web site at: http://www.niscc.gov.uk/aboutniscc/index.htm
Reference to any specific commercial product, process or service by trade name,
trademark manufacturer or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by NISCC. The views and opinions of
authors expressed within this notice shall not be used for advertising or
product endorsement purposes.
Neither shall NISCC accept responsibility for any errors or omissions contained
within this advisory. In particular, they shall not be liable for any loss or
damage whatsoever, arising from or in connection with the usage of information
contained within this notice.
© 2004 Crown Copyright
Revision History
|
|
Initial
release (1.0) |
<End of NISCC Vulnerability Advisory>