There have been a number of recent Apache Web Server
vulnerabilities that require the attention of administrators, security
professionals, and Webmasters. The threats pose various levels of danger and
some can be exploited remotely.

Details

The most recent vulnerability is a remotely exploitable
threat that can allow an attacker to compromise access controls. This is being
referred to as the “Satisfy” directory threat. You can see the original
advisory here
(scroll down to the description). The threat from this vulnerability is that
some password-protected folders won’t be protected if you update to Apache
version 2.0.51.

A locally exploitable buffer overrun vulnerability in the
configuration file variable .htaccess (Bugtraq ID 11182, CAN-2004-0747)
affects a large number of Apache 2.x versions and is found in most Linux
versions, including Mandrake, SuSE, Red Hat, and others. This threat has caused
a number of users to update to version 2.0.51, making a large number of systems
vulnerable to the remotely exploitable Satisfy vulnerability described above.

A vulnerability in the apr-util library (apache 2.0.50 and
earlier), specifically the IPv6 URI parsing routine (CAN-2004-0786)
can trigger a denial of service event, or worse.

You can find a list of all recent Apache vulnerabilities here on Secunia.com.

Applicability

The Satisfy directive vulnerability (CAN-2004-0811)
is only found in Apache version 2.0.51.

The .htaccess buffer overrun vulnerability affects all
Apache 2.0.50 and earlier versions.

The IPv6 URI parsing vulnerability is found on Apache
versions 2.0.35 through 2.0.50.

Risk level

The Satisfy directive is rated moderately critical. When
you update to the affected version (Apache 2.0.51), some of the previously password-protected
directories will no longer be protected and can be accessed remotely by
attackers.

The .htaccess buffer overrun is a moderate threat and is
mostly of interest because it caused so many managers to update to the 2.0.51
version that led to the more serious Satisfy vulnerability.

The IPv6 URI parsing vulnerability is a moderate to
moderately critical vulnerability because there are some unconfirmed reports
that, in addition to the DoS threat, it may also allow remote attackers to run
random code on BSD systems. This threat also led managers to upgrade to Apache
version 2.0.51, which turned out to contain the more serious Satisfy vulnerability.

Mitigating factors

  • Satisfy
    directive—this threat only applies if you have updated to version 2.0.51.
  • Htaccess
    buffer overrun—this can only be exploited locally.
  • IPv6
    URI parsing vulnerability—this is probably only a moderate or low-level
    threat to most Linux and UNIX systems, but there is a significant
    possibility that it can allow remote code execution on BSD systems.

Fix

  • There
    is a patch
    available for the Satisfy merging vulnerability. Apache.org has also
    recently released a new version, 2.0.52, and updating to that version will
    eliminate the Satisfy threat.
  • Htaccess
    buffer overrun—skip version 2.0.51 and update to
    version 2.0.52.
  • IPv6
    URI parsing vulnerability—there are patches available from Apache.org or
    you can skip version 2.0.51 and update to version 2.0.52.

Final word

It’s interesting that this recent series of Apache threats
included two relatively low-level vulnerabilities, both so widespread that they
caused a number of managers to upgrade to the then latest Apache version
2.0.51, which turned out to have a considerably more dangerous vulnerability,
causing another round of patches or updates.

I’m not specifically picking on Apache because the same
thing happens all the time with Microsoft updates that must be quickly patched,
but it should remind open source adopters that they are vulnerable to the same
sort of patch, update, and patch again problem that famously plagues Microsoft software.

Also watch for…

  • There
    are three recently reported vulnerabilities found on most versions of
    RealPlayer and Helix player, the popular multimedia content utilities. The
    threat can allow remote attackers to access, modify, and delete local
    files on vulnerable systems. The list of affected versions is extensive
    and includes the Enterprise edition, so any users or managers responsible
    for systems with RealPlayer installed should check out the vendor
    report     and update where necessary.
  • There
    is a new threat mitigation
    guide     for managers upgrading systems to Windows Server 2003 but who
    must continue to support some NT and Windows 98 systems connected to the
    network.
  • Ever
    wish you could easily obtain new Microsoft programs to test for possible
    compatibility or other problems? Take a look at the Microsoft Trial Software
    Center    , which lets you download or order copies of demo versions of lots
    of Microsoft software. Server trial versions are good for 120 days or
    longer and you can upgrade a trial installation to a licensed version. For
    those who prefer not to download gigantic files, the cost on CD ($8 for
    most discs) is quite modest. (Sorry, the trial of Age of Empires II is only
    available as a download.)
  • The
    Beagle/Bagle worm is rearing its ugly little head again and TechRepublic
    has a newly available chart to
    download to help you deal with it.
  • A
    number of mergers have recently taken place in the security vendor
    industry, narrowing your choice of products. TruSecure and Betrusted, for
    example, are now Cybertrust, a merged company. Symantec has purchased
    @Stake. For an independent look at recent security news you can continue
    to rely on this column as well as our new site for breaking security news,
    www.virusthreatcenter.com.