I report on a lot of software vulnerabilities here, and I try to weed out the unimportant ones. But there’s no real way to know in advance which ones will be exploited and which ones cybervandals will essentially ignore. Some critical vulnerabilities never become a big danger, even when administrators fail to patch them. This makes it difficult to defend the expense of constantly updating and maintaining system patches and probably leads to a lot of the complacency we see in information security.
Of course, other vulnerabilities become major attack vectors for hackers. This has been the case recently with a slew of Apache Web server vulnerabilities.
ESecurityplanet.com has reported that the Apache software, which is used by about 60 percent of Web servers, is being actively attacked on the Internet. The Apache HTTP Server Project warns of open holes in many installed versions of Apache and urgently recommends that admins upgrade to version 1.3.27 or 2.0.43 or later, which were still the latest versions available as of mid-November.
An Internetnews.com report published on Oct. 4, 2002, said that version 1.3.27 patched three key vulnerabilities. One hole is found in all versions of Apache prior to 1.3.27 on “platforms using System V shared memory based scoreboards.” That vulnerability can cause a denial of service event. Another flaw relates to cross-site scripting in the default 404 page, while the third vulnerability that’s repaired in this 1.3.27 bug-fix release was a buffer overflow threat.
Although the latest release was produced mainly to patch these three vulnerabilities, systems still running version 1.2 will, according to the Apache Foundation, also find expanded platform support and improved performance if they upgrade to the latest 1.3 version. For a quick summary of some other details regarding the new release, see the Internetnews.com report.
The latest Apache Foundation warning posted on BugTraq cautions that the mod_ssl slapper worm is still being used successfully to attack Apache servers. This is an OpenSSL source problem and doesn’t require an Apache upgrade but requires an OpenSSL library update. Thus, those running an SSL-enabled server should upgrade to version 0.9.6e or later of OpenSSL and recompile.
Vulnerabilities that are being exploited because of a failure to upgrade Apache itself include the 404 page cross-site scripting bug, which manages wildcard DNS lookups; buffer overflows in the ApacheBench (ab) utility; and htpasswd and htdigest vulnerabilities.
The vulnerabilities affect Apache HTTP Server versions prior to 1.3.27 or version 2 prior to 2.0.43.
These vulnerabilities are actually being exploited right now—this isn’t just a theoretical possibility—so that makes it especially important that the flaws are fixed.
Update Apache and OpenSSL. Apache has posted the upgrade here.
This is just the latest in a series of threats to vital Internet infrastructure elements, following on the recent partially successful attempt to bring down the DNS root servers on the Internet. As security professionals, we sometimes turn a blind eye to problems that affect only home users or companies that fail to fix their own vulnerable software. But there is rising concern that terrorists may begin to launch systematic attacks on the Internet because of its importance to the world economy. We need to be especially vigilant in updating systems such as Apache that make up a piece of the Internet—both to keep those systems from being attacked and from being used to attack others.