Open Source

Various Apache 2.x vulnerabilities require admins' attention

How to mitigate the threats of new flaws in the popular Apache HTTP Server


Apache 2.x servers are vulnerable to several threats and should be updated to the latest version. Some of the flaws reside in the Apache software itself, and one flaw exists in the ModSecurity 1.7.4 intrusion detection software. Yet another vulnerability, which can give an attacker access to authentication credentials, is known but hasn’t been patched in the latest released version of Apache (at the time this article was being published).

Details
S-Quadra Security Research has published information about a vulnerability in the open source ModSecurity intrusion detection software, which functions as an Apache module. The researcher reportedly notified ModSecurity at the beginning of February and held off on a public announcement (in BugTraq) until now, when ModSecurity version 1.7.5 became available.

A different vulnerability involves a rare condition affecting Apache 2.0.48 and earlier on some versions of AIX, Solaris, and Tru64, but not Windows, Linux, or FreeBSD platforms. See the vendor’s advisory and release announcement for version 2.0.49 for more information.

The vulnerability CAN-2004-0113 refers to a memory leak in mod_ssl. The vulnerability CAN-2003-0020 can allow “exploits of certain terminal emulators.”

Unfortunately, another new vulnerability has been reported in Apache versions 2.0.49 (the current version) and prior 2.x versions. This threat relates to mod_disk_cache and can give an attacker access to authentication credentials. The discoverer, Andreas Steinmetz, says he reported the defect to the Apache team on March 2, 2004, and hasn’t heard back from Apache since March 7. In his BugTraq note of March 20, Steinmetz says that the vulnerability hasn’t been addressed in the latest release, version 2.0.49, and therefore he has published details of the threat.

See the Apache advisory for details on a few other threats. You should also note that some Apache DoS threats have been addressed by the newest release, Apache HTTP Server version 2.0.49.

Applicability
All of these flaws affect Apache versions 2.x.

Risk level—high
One vulnerability has a potential of allowing an attacker to run arbitrary code on an Apache Web server using ModSecurity software. Most of the other flaws are less important but can still trigger DoS events. The unpatched threat that I mentioned can allow for the theft of credentials.

Mitigating factors
Any organizations that have stayed with Apache version 1.3.x are probably safe from all of these threats, which appear to affect only version 2.x releases.

Fix
For all except the mod_disk_cache threat, upgrading to the latest version of Apache will solve these problems. There is no workaround for the three vulnerabilities recently fixed by the release of Apache 2.0.49. The Apache advisory recommends disabling mod_disk_cache until a fix is found for that flaw. Steinmetz has published a possible patch that he also forwarded to the Apache team.

Final word
Apache administrators may also be interested in taking a look at the details of Reasoning Inc.’s Apache code inspection project.

Also watch for …
  • SCO has released a warning about a buffer overflow found in Mutt 1.4.1 and earlier that can lead to a DoS event. Affected are OpenLinux 3.1.1 Server and 3.11 Workstation prior to mutt-1.2.5-13.i386.rpm. Updates are available; see the SecurityFocus report for more details. Another threat to 3.1.1 Server and Workstation (Midnight Commander, CAN-2003-1023), which can give an attacker remote system access, has also been addressed by SCO.
  • Hotmail and Yahoo mail systems both came under attack recently due to problems in their filtering technology that can permit an Internet Explorer cross-site scripting vulnerability to slip through to end users' mail boxes. The problem should be cleared up by now, but using a non-IE browser will also eliminate the problem.
  • Following on last year’s Debian, Gentoo, and GNU Project server hacks, the GNOME Project (Linux/UNIX desktop suite) is the latest Linux developer server to be embarrassed by attackers penetrating the system. Although there was apparently no damage, the project managers are diligently checking to see that there were no concealed changes to the next version of GNOME (2.6), which had its introduction delayed.
  • Well-known security vendor F-Secure is releasing a Linux antivirus program designed to protect Samba Servers. Despite common belief, as the ZDNet UK story points out, there are nearly 500 Linux viruses.
  • A new Technical Preview Program makes Windows XP Service Pack 2 RC1 (usually the nearly final version before release) generally available for testing by IT professionals. The download, which doesn’t include any support other than some Microsoft-sponsored newsgroups, requires Windows XP to be installed already. English and German versions are now available and are about 270 MB.
  • Congress is looking to outlaw spyware, but if the final bill isn’t written carefully, it may have important consequences for legitimate advertisers; for example, could a cookie be considered spyware? Well, it depends. It could also complicate legitimate investigations of potential internal threats or the need to monitor possibly illegal actions by employees. The Software Principles Yielding Better Levels of Consumer Knowledge (SPYBLOCK) Act is being debated in the Senate now. It may come as a big surprise to a lot of people that planting spyware on an individual’s personal computer may not even be illegal. There's a press release about SPYBLOCK on sponsoring U.S. Senator Conrad Burns’ (R-Mont.) Web site. With any luck, feedback from the industry will cause the final bill (if it passes) to contain exceptions when permission is given, including when an employee is told about corporate computer use and access policies.
  • In other U.S. federal government news, the Department of the Interior has again failed security reviews, and on March 15 was ordered by a District Court Judge to disconnect from the Internet because of charges that the lax security was, once again, endangering monies owed to Native Americans. An appeals court has since stayed that order, and the Department of Interior went back online, presumably with hackers salivating since they now know that security is lax and that there may be money to steal there. Interestingly enough, I found coverage of this on a British newspaper Web site.
  • Symantec has released its latest semiannual Internet Security Threat Report for the period ending Dec. 31, 2003. The executive summary points out that more vulnerabilities are being announced with exploits, requiring faster patching. Worms are now the most common or most dangerous threat, and many malware programs are now planting back doors.
  • KerioMailServer versions 5.7.6 and earlier have a critical vulnerability caused by a boundary value error in the spam filter. This can trigger a buffer overrun and allow a remote attacker to run arbitrary code on the server. The fix is to upgrade to version 5.7.7.
  • And, finally, just when you thought it was safe to go on the road, Computerworld reports that Lucent is rolling out plans to put WiFi in cars, on trains, and in buses. If you thought talking on a cell phone in the car was dangerous, just wait until people start driving while surfing the Web with their laptop in the passenger seat!


 

Editor's Picks

Free Newsletters, In your Inbox