Networking

Apache update opens the door to a bigger threat

The Apache Software Foundation recently released a software update that fixed a number of problems but also introduced a dangerous new security threat.

There have been a number of recent Apache Web Server vulnerabilities that require the attention of administrators, security professionals, and Webmasters. The threats pose various levels of danger and some can be exploited remotely.

Details

The most recent vulnerability is a remotely exploitable threat that can allow an attacker to compromise access controls. This is being referred to as the "Satisfy" directory threat. You can see the original advisory here (scroll down to the description). The threat from this vulnerability is that some password-protected folders won't be protected if you update to Apache version 2.0.51.

A locally exploitable buffer overrun vulnerability in the configuration file variable .htaccess (Bugtraq ID 11182, CAN-2004-0747) affects a large number of Apache 2.x versions and is found in most Linux versions, including Mandrake, SuSE, Red Hat, and others. This threat has caused a number of users to update to version 2.0.51, making a large number of systems vulnerable to the remotely exploitable Satisfy vulnerability described above.

A vulnerability in the apr-util library (apache 2.0.50 and earlier), specifically the IPv6 URI parsing routine (CAN-2004-0786) can trigger a denial of service event, or worse.

You can find a list of all recent Apache vulnerabilities here on Secunia.com.

Applicability

The Satisfy directive vulnerability (CAN-2004-0811) is only found in Apache version 2.0.51.

The .htaccess buffer overrun vulnerability affects all Apache 2.0.50 and earlier versions.

The IPv6 URI parsing vulnerability is found on Apache versions 2.0.35 through 2.0.50.

Risk level

The Satisfy directive is rated moderately critical. When you update to the affected version (Apache 2.0.51), some of the previously password-protected directories will no longer be protected and can be accessed remotely by attackers.

The .htaccess buffer overrun is a moderate threat and is mostly of interest because it caused so many managers to update to the 2.0.51 version that led to the more serious Satisfy vulnerability.

The IPv6 URI parsing vulnerability is a moderate to moderately critical vulnerability because there are some unconfirmed reports that, in addition to the DoS threat, it may also allow remote attackers to run random code on BSD systems. This threat also led managers to upgrade to Apache version 2.0.51, which turned out to contain the more serious Satisfy vulnerability.

Mitigating factors

  • Satisfy directive—this threat only applies if you have updated to version 2.0.51.
  • Htaccess buffer overrun—this can only be exploited locally.
  • IPv6 URI parsing vulnerability—this is probably only a moderate or low-level threat to most Linux and UNIX systems, but there is a significant possibility that it can allow remote code execution on BSD systems.

Fix

  • There is a patch available for the Satisfy merging vulnerability. Apache.org has also recently released a new version, 2.0.52, and updating to that version will eliminate the Satisfy threat.
  • Htaccess buffer overrun—skip version 2.0.51 and update to version 2.0.52.
  • IPv6 URI parsing vulnerability—there are patches available from Apache.org or you can skip version 2.0.51 and update to version 2.0.52.

Final word

It's interesting that this recent series of Apache threats included two relatively low-level vulnerabilities, both so widespread that they caused a number of managers to upgrade to the then latest Apache version 2.0.51, which turned out to have a considerably more dangerous vulnerability, causing another round of patches or updates.

I'm not specifically picking on Apache because the same thing happens all the time with Microsoft updates that must be quickly patched, but it should remind open source adopters that they are vulnerable to the same sort of patch, update, and patch again problem that famously plagues Microsoft software.


Also watch for…

  • There are three recently reported vulnerabilities found on most versions of RealPlayer and Helix player, the popular multimedia content utilities. The threat can allow remote attackers to access, modify, and delete local files on vulnerable systems. The list of affected versions is extensive and includes the Enterprise edition, so any users or managers responsible for systems with RealPlayer installed should check out the vendor report and update where necessary.
  • There is a new threat mitigation guide for managers upgrading systems to Windows Server 2003 but who must continue to support some NT and Windows 98 systems connected to the network.
  • Ever wish you could easily obtain new Microsoft programs to test for possible compatibility or other problems? Take a look at the Microsoft Trial Software Center, which lets you download or order copies of demo versions of lots of Microsoft software. Server trial versions are good for 120 days or longer and you can upgrade a trial installation to a licensed version. For those who prefer not to download gigantic files, the cost on CD ($8 for most discs) is quite modest. (Sorry, the trial of Age of Empires II is only available as a download.)
  • The Beagle/Bagle worm is rearing its ugly little head again and TechRepublic has a newly available chart to download to help you deal with it.
  • A number of mergers have recently taken place in the security vendor industry, narrowing your choice of products. TruSecure and Betrusted, for example, are now Cybertrust, a merged company. Symantec has purchased @Stake. For an independent look at recent security news you can continue to rely on this column as well as our new site for breaking security news, www.virusthreatcenter.com.

Editor's Picks

Free Newsletters, In your Inbox