Feeds

Apache admins screwed by premature vuln report

Anti-open source?

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

There's a controversy brewing over the announcement of a new Apache vulnerability similar to the chunked encoding flaws in Microsoft IIS, which we reported here and here.

On Monday, Internet Security Systems (ISS) posted their discovery to the BugTraq mailing list, without knowing the full extent of the flaw, and without giving Apache.org time to investigate and develop a patch or even propose a workaround. To sugar the pill ISS had developed its own patch, which Apache later said doesn't address all the issues. Another point in the ISS advisory which Apache disputes is a claim that only installations on Windows are vulnerable.

As it happens, Mark Litchfield of Next Generation Security Software (NGSS) had made the same discovery, but contacted Apache.org and CERT/CC, so Apache did have an advisory in the works, which ISS' premature discharge compelled them to release.

There was a posting at Slashdot suggesting that ISS was using the premature advisory as a publicity stunt; and while there's undoubtedly a lot to that, we have to wonder if there isn't something even creepier behind it. Here we see ISS publishing a vulnerability and a lame patch without so much as consulting the developer of an open-source product, but we've never seen them try to pull a stunt like that with Microsoft, say.

According to ISS, they discovered the flaw during an audit of the Apache source code. Of course with Microsoft or Sun or Oracle they'd have to play nice to get at bits of material like that. Was there some calculation that publishing a gaping hole in a very popular piece of software without warning or an adequate patch could discredit the open-source community's mechanism for handling vulnerabilities and create the perception that Apache users had better sign up for a raft of ISS services because open-source developers can't take retaliatory steps to discourage the irresponsible release of vulnerability data?

According to Mark Litchfield's brother David, Apache.org's decision to coordinate with the vendors was the right call because, "most people who use the Win32 Apache version do not have a compiler and so can't take steps to protect themselves. They're mostly relying on their Apache 'supplier' to produce a patch."

And indeed, the ISS patch is geared towards Win32 and does require the user to build the binaries. Whether Litchfield's assumption that most users are going to be stumped is correct or not, the point is a fair one which makes the ISS 'solution' appear disingenuous.

The flaw affects Apache 1.3 to and including 1.3.24, and Apache 2 to and including 2.0.36-dev, though in different ways. In the best case it can lead to a denial of service; in the worst, to remote exploitation.

"In Apache 1.3 the issue causes a stack overflow. Due to the nature of the overflow on 32-bit Unix platforms this will cause a segmentation violation and the child will terminate. However on 64-bit platforms the overflow can be controlled and so for platforms that store return addresses on the stack it is likely that it is further exploitable. This could allow arbitrary code to be run on the server as the user the Apache children are set to run as," Apache says.

In a response also posted to BugTraq, ISS insists that, "this issue is no more exploitable or unexploitable on a 32-bit platform than on a 64-bit platform. Due to the signed comparison, the minimum size passed to the memcpy() function is 0x80000000 or about 2gb. Unless Apache has over 2gb of contiguous stack memory located after the target buffer in memory, a segmentation fault will be caused. If you understand how the stack is used, you will understand that this is an impossibility."

But this too is wrong, according to Apache.org's Mark Cox. "They missed a long to int conversion that happens later in the code. This is one of the reasons that they should have talked to us before relasing their advisory; we could have told them that their patch was insufficient and helped them understand the problem better -- that way users of Apache don't have to follow a silly flame war on BugTraq and can get down to what matters most; making sure they protect their servers," Cox told us.

In any case the wind-up is simple: a malformed request can crash or even lead to the exploitation of your Apache server depending on the version, and there is not yet a comprehensive fix. ®

Related Links

ISS original advisory
Apache reply
ISS rebuttal

Secure remote control for conventional and virtual desktops

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
Torvalds CONFESSES: 'I'm pretty good at alienating devs'
Admits to 'a metric ****load' of mistakes during work with Linux collaborators
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.