__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Apache Buffer Overflow Vulnerability
[Debian DSA-525-1]
June 28, 2004 17:00 GMT Number O-169
[REVISED 29 Jun 2004]
[REVISED 7 Jul 2004]
[REVISED 12 Jul 2004]
[REVISED 4 Aug 2004]
[REVISED 6 Aug 2004]
[REVISED 25 Aug 2004]
[REVISED 23 Sep 2004]
[REVISED 13 Oct 2004]
[REVISED 06 Dec 2004]
[REVISED 16 Aug 2005]
______________________________________________________________________________
PROBLEM: A heap-based buffer overflow vulnerability in the proxy_util.c
for Apache's mod_proxy module and a denial of service
vulnerability have been reported.
PLATFORM: Debian GNU/Linux 3.0 (woody)
Apache Server 2.0.47, 2.0.48 and 2.0.49
Apache Server 2.0.50
Red Hat Desktop (v.3)
Red Hat Enterprise Linux AS (v.3)
Red Hat Enterprise Linux ES (v.3)
Red Hat Enterprise Linux WS (v.3)
HP-UX B.11.04
HP-UX B.11.00, B.11.11, B.11.22, B.11.23 running the
hpuxwsAPACHE HP-UX Web Server.
SGI ProPack 3 for the SGI Altix family of systems
Sun Solaris 8 and 9, on SPARC and x86 platforms
Mac OS X v10.2.x and v10.3.x
Mac OS X Servers v10.2.x and v10.3.x
DAMAGE: A remote user could possibly execute arbitrary code or cause a
denial-of-service attack.
SOLUTION: Apply appropriate product updates.
______________________________________________________________________________
VULNERABILITY The risk is LOW. A remote user could execute arbitrary code
ASSESSMENT: with the privileges of an Apache httpd child process (by
default, user www-data). Local user account www-data does not
have root access.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-169.shtml
ORIGINAL BULLETIN: http://www.debian.org/security/2004/dsa-525
ADDITIONAL LINKS: Debian DSA-525:
http://www.debian.org/security/2004/dsa-525
Apache - (see "Important Security Patch for 2.0" section)
http://httpd.apache.org/">http://httpd.apache.org/
Security Tracker:
http://securitytracker.com/alerts/2004/Jun/1010599.html
Apache HTTP Server 2.0.50
http://www.apache.org/dist/httpd/Announcement2.html
Red Hat Security Advisory RHSA-2004:342-10
https://rhn.redhat.com/errata/RHSA-2004-342.html
Visit HEWLETT PACKARD Subscription Service for:
HPSBUX01057 / SSRT4776 rev. 0
HPSBUX01064 / SSRT4777 rev. 0
SGI Advanced Linux Environment 3, Number 20040701-01-U
ftp://patches.sgi.com/support/free/security/advisories/
20040701-01-U.asc
Sun Alert ID: 57628 (superceded by 101555)
http://www.sunsolve.sun.com/search/printfriendly.do?
assetkey=1-26-101555-1
Apple Security Update 2004-12-02 (Also on CIAC P-049)
http://docs.info.apple.com/article.html?artnum=61798
CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2004-0492
CAN-2004-0493
______________________________________________________________________________
Revision History:
06/29/2004 - Added links to Apache and Security Tracker advisories. Updated
PLATFORM section. Added link for CAN-2004-493. Added Apache
write-up below.
07/07/2004 - Added a link to Red Hat Security Advisory RHSA-2004:342-10,
providing Red Hat Desktop and Enterprise Linux AS, ES, WS (v.3)
updated packages for this vulnerability. Also added a link to
Apache HTTP Server 2.0.50.
07/12/2004 - Added reference to HP Security Bulletin HPSBUX01057 Rev 0,
SSRT4776 rev.0 that provides patches for HP-UX B.11.04.
08/04/2004 - Added link to SGI Advanced Linux Environment 3 Security Update #6,
Number 20040701-01-U that provides Patch 10088 for SGI ProPack 3.
08/06/2004 - Added link: Hewlett Packard has released patches for their HP-UX
Web Server software on their advisory HPSBUX01064 /
SSRT4777 rev. 0.
08/25/2004 - Added link to Sun Alert ID: 57628 that provides patches for this
vulnerability.
09/23/2004 - sent announcement that Sun Microsystems has released T-patches for
Solaris 8. See their Sun Alert ID: 57628.
10/13/2004 - sent announcement that Sun Microsystems has released final patches for
Solaris 8. See their Sun Alert ID: 57628.
12/06/2004 - Added other Apple products to Platforms. Added link to
Apple's Security Update 2004-12-02. This information also on our
CIAC Bulletin P-049.
08/16/2005 - Sun Microsystems has superceded Alert ID: 57628 with Alert ID: 101555
and has updated the Contributing Factors and Relief/Workaround sections.
[***** Start Apache Information *****]
Important Security Patch for 2.0
Vulnerability CAN-2004-0493 has been announced by its discoverer, before
2.0.50 could be released. It is a remote exploit which allows an attacker
to cause the server to allocate increasing amounts of memory until system
memory is exhausted or until process limits are reached, depending on the
platform and configuration.
This problem will be resolved in 2.0.50. To resolve this problem with
2.0.47, 2.0.48 or 2.0.49, apply the patch at
http://www.apache.org/dist/httpd/patches/apply_to_2.0.49/CAN-2004-0493.patch.
The patch has not been tested with earlier releases.
[***** End Apache information *****]
---------------------------------------------------------------------
[***** Start Debian DSA-525-1 *****]
Debian Security Advisory
DSA-525-1 apache -- buffer overflow
Date Reported:
24 Jun 2004
Affected Packages:
apache
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CAN-2004-0492.
More information:
Georgi Guninski discovered a buffer overflow bug in Apache's mod_proxy module,
whereby a remote user could potentially cause arbitrary code to be executed
with the privileges of an Apache httpd child process (by default, user
www-data). Note that this bug is only exploitable if the mod_proxy module
is in use.
Note that this bug exists in a module in the apache-common package, shared
by apache, apache-ssl and apache-perl, so this update is sufficient to
correct the bug for all three builds of Apache httpd. However, on systems
using apache-ssl or apache-perl, httpd will not automatically be restarted.
For the current stable distribution (woody), this problem has been fixed in
version 1.3.26-0woody5.
For the unstable distribution (sid), this problem has been fixed in version
1.3.31-2.
We recommend that you update your apache package.
Fixed in:
Debian GNU/Linux 3.0 (woody)
Source:
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26-0woody5.dsc
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26-0woody5.diff.gz
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/a/apache/
apache-doc_1.3.26-0woody5_all.deb
Alpha:
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26-0woody5_alpha.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-common_1.3.26-0woody5_alpha.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-dev_1.3.26-0woody5_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26-0woody5_arm.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-common_1.3.26-0woody5_arm.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-dev_1.3.26-0woody5_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26-0woody5_i386.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-common_1.3.26-0woody5_i386.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-dev_1.3.26-0woody5_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26-0woody5_ia64.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-common_1.3.26-0woody5_ia64.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-dev_1.3.26-0woody5_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26-0woody5_hppa.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-common_1.3.26-0woody5_hppa.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-dev_1.3.26-0woody5_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26-0woody5_m68k.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-common_1.3.26-0woody5_m68k.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-dev_1.3.26-0woody5_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26-0woody5_mips.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-common_1.3.26-0woody5_mips.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-dev_1.3.26-0woody5_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26-0woody5_mipsel.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-common_1.3.26-0woody5_mipsel.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-dev_1.3.26-0woody5_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26-0woody5_powerpc.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-common_1.3.26-0woody5_powerpc.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-dev_1.3.26-0woody5_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26-0woody5_s390.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-common_1.3.26-0woody5_s390.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-dev_1.3.26-0woody5_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.26-0woody5_sparc.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-common_1.3.26-0woody5_sparc.deb
http://security.debian.org/pool/updates/main/a/apache/
apache-dev_1.3.26-0woody5_sparc.deb
MD5 checksums of the listed files are available in the original advisory.
----------------------------------------------------------------------------
This page is also available in the following languages:
dansk
How to set the default document language
----------------------------------------------------------------------------
To report a problem with the web site, e-mail debian-www@lists.debian.org.
For other contact information, see the Debian contact page.
Last Modified: Mon, Jun 28 13:46:19 UTC 2004
Copyright © 2004 SPI; See license terms
Debian is a registered trademark of Software in the Public Interest, Inc.
[***** End Debian DSA-525-1 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Debian and Apache for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
O-159: NETGEAR WG602 Wireless Access Point Default Backdoor Account Vulnerability
O-160: Microsoft Windows 2000 Advanced Server Security Bypass
O-161: RealPlayer Security Vulnerabilities
O-162: Red Hat Updated Tripwire Packages Fix Security Flaw
O-163: Cisco IOS Malformed BGP Packet Causes Reload
O-164: Red Hat Updated Kernel Packages Fix Security Vulnerabilities
O-165: Red Hat Updated libpng Packages Fix Security Issue
O-166: Sun StorEdge Enterprise Storage Manager (ESM) 2.1 Vulnerability
O-167: SGI - System Call SGI_IOPROBE Vulnerability
O-168: Squid - NTLM Authentication Buffer Overflow Vulnerability