860056 - Critical security Vulnerability In Webserver

Status: RESOLVED INVALID

(Security Assurance :: General, task)

Description

[Tushar Kumbhare]

Site - https://lists.mozilla.org
 
Vulnerability - Multiple Vulnerabilities.

Current version found -  Apache/2.2.15 (Red Hat) Server at lists.mozilla.org Port 443

Version can be found here - https://lists.mozilla.org/ORxvcglX41
 
Vulnerability 1)  envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2
places a zero-length directory name in the LD_LIBRARY_PATH, which
allows local users to gain privileges via a Trojan horse DSO in the
current working directory during execution of apachectl.

Risk level - High

Imapcts -

Confidentiality Impact - Complete (There is total information
disclosure, resulting in all system files being revealed.)

Integrity Impact - Complete (There is a total compromise of system
integrity. There is a complete loss of system protection, resulting in
the entire system being compromised.)

Availability Impact - Complete (There is a total shutdown of the
affected resource. The attacker can render the resource completely
unavailable.)

Reference - http://www.cvedetails.com/cve/CVE-2012-0883/


Vulnerability 2) scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might
allow local users to cause a denial of service (daemon crash during
shutdown) or possibly have unspecified other impact by modifying a
certain type field within a scoreboard shared memory segment, leading
to an invalid call to the free function.

Risk level - High

Impact -

Confidentiality Impact - Partial (There is considerable informational
disclosure.)

Integrity Impact - Partial (Modification of some system files or
information is possible, but the attacker does not have control over
what can be modified, or the scope of what the attacker can affect is
limited.)

Availability Impact -Partial (There is reduced performance or
interruptions in resource availability.)

Refrence - http://www.cvedetails.com/cve/CVE-2012-0031/


Vulnerability 3) The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through
2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a
denial of service (memory and CPU consumption) via a Range header that
expresses multiple overlapping ranges, as exploited in the wild in
August 2011, a different vulnerability than CVE-2007-0086.

Risk level - Critically high.

Availability Impact - Complete (There is a total shutdown of the
affected resource. The attacker can render the resource completely
unavailable.)

(1 public exploit)      (1 Metasploit modules) available.

Reference - http://www.cvedetails.com/cve/CVE-2011-3192/


Vulnerability 4) Vulnerability description

A denial of service vulnerability has been found in the way the
multiple overlapping ranges are handled by the Apache HTTPD server:

http://seclists.org/fulldisclosure/2011/Aug/175


An attack tool is circulating in the wild. Active use of this tools
has been observed. The attack can be done remotely and with a modest
number of requests can cause very significant memory and CPU usage on
the server.

Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x
through 2.2.19).

Reference - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192


The list of vulnerabilities and their impact can be found here :

http://www.apache.org/dist/httpd/Announcement2.2.html


http://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=66&version_id=109442&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=4&sha=27943c1f76fcf9691f0ce75b0eaba93357425f76


working exploit can be found here :

http://www.exploit-db.com/exploits/17696/


These vulnerabilities affects webserver:

Total Compromisation of all the users data Confidentiality, Integrity
and  Availability.

How to fix this vulnerability

Upgrade to the latest version of Apache HTTP Server (2.2.20 or later),
available from the Apache HTTP Server Project Web site.

Must be patched soon

Comment 1

[Michael Henry [:tinfoil]]

Thank you for your report!

Is your assessment based strictly on version number, or have you successfully exploited a vulnerability?

I'm asking because the server is running RedHat.  RedHat is well known for backpatching security fixes into older versions of software.  In other words, finding vulnerabilities by CVE and version numbers with RedHat is an exercise in futility.

I've checked the server and it's currently running the lastest patches available from RedHat, which includs fixes for:

CVE-(2012-0883|2012-0031|2007-0086|2011-3192)

If your finding is not based on version number alone, let me know.  Otherwise I'll close this bug as resolved-invalid.