Feeds

Apache admins screwed by premature vuln report

Anti-open source?

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

There's a controversy brewing over the announcement of a new Apache vulnerability similar to the chunked encoding flaws in Microsoft IIS, which we reported here and here.

On Monday, Internet Security Systems (ISS) posted their discovery to the BugTraq mailing list, without knowing the full extent of the flaw, and without giving Apache.org time to investigate and develop a patch or even propose a workaround. To sugar the pill ISS had developed its own patch, which Apache later said doesn't address all the issues. Another point in the ISS advisory which Apache disputes is a claim that only installations on Windows are vulnerable.

As it happens, Mark Litchfield of Next Generation Security Software (NGSS) had made the same discovery, but contacted Apache.org and CERT/CC, so Apache did have an advisory in the works, which ISS' premature discharge compelled them to release.

There was a posting at Slashdot suggesting that ISS was using the premature advisory as a publicity stunt; and while there's undoubtedly a lot to that, we have to wonder if there isn't something even creepier behind it. Here we see ISS publishing a vulnerability and a lame patch without so much as consulting the developer of an open-source product, but we've never seen them try to pull a stunt like that with Microsoft, say.

According to ISS, they discovered the flaw during an audit of the Apache source code. Of course with Microsoft or Sun or Oracle they'd have to play nice to get at bits of material like that. Was there some calculation that publishing a gaping hole in a very popular piece of software without warning or an adequate patch could discredit the open-source community's mechanism for handling vulnerabilities and create the perception that Apache users had better sign up for a raft of ISS services because open-source developers can't take retaliatory steps to discourage the irresponsible release of vulnerability data?

According to Mark Litchfield's brother David, Apache.org's decision to coordinate with the vendors was the right call because, "most people who use the Win32 Apache version do not have a compiler and so can't take steps to protect themselves. They're mostly relying on their Apache 'supplier' to produce a patch."

And indeed, the ISS patch is geared towards Win32 and does require the user to build the binaries. Whether Litchfield's assumption that most users are going to be stumped is correct or not, the point is a fair one which makes the ISS 'solution' appear disingenuous.

The flaw affects Apache 1.3 to and including 1.3.24, and Apache 2 to and including 2.0.36-dev, though in different ways. In the best case it can lead to a denial of service; in the worst, to remote exploitation.

"In Apache 1.3 the issue causes a stack overflow. Due to the nature of the overflow on 32-bit Unix platforms this will cause a segmentation violation and the child will terminate. However on 64-bit platforms the overflow can be controlled and so for platforms that store return addresses on the stack it is likely that it is further exploitable. This could allow arbitrary code to be run on the server as the user the Apache children are set to run as," Apache says.

In a response also posted to BugTraq, ISS insists that, "this issue is no more exploitable or unexploitable on a 32-bit platform than on a 64-bit platform. Due to the signed comparison, the minimum size passed to the memcpy() function is 0x80000000 or about 2gb. Unless Apache has over 2gb of contiguous stack memory located after the target buffer in memory, a segmentation fault will be caused. If you understand how the stack is used, you will understand that this is an impossibility."

But this too is wrong, according to Apache.org's Mark Cox. "They missed a long to int conversion that happens later in the code. This is one of the reasons that they should have talked to us before relasing their advisory; we could have told them that their patch was insufficient and helped them understand the problem better -- that way users of Apache don't have to follow a silly flame war on BugTraq and can get down to what matters most; making sure they protect their servers," Cox told us.

In any case the wind-up is simple: a malformed request can crash or even lead to the exploitation of your Apache server depending on the version, and there is not yet a comprehensive fix. ®

Related Links

ISS original advisory
Apache reply
ISS rebuttal

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
Yes, Virginia, there IS a W3C HTML5 standard – as of now, that is
You asked for it! You begged for it! Then you gave up! And now it's HERE!
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.