Feeds

Apache admins screwed by premature vuln report

Anti-open source?

  • alert
  • submit to reddit

Designing a Defense for Mobile Applications

There's a controversy brewing over the announcement of a new Apache vulnerability similar to the chunked encoding flaws in Microsoft IIS, which we reported here and here.

On Monday, Internet Security Systems (ISS) posted their discovery to the BugTraq mailing list, without knowing the full extent of the flaw, and without giving Apache.org time to investigate and develop a patch or even propose a workaround. To sugar the pill ISS had developed its own patch, which Apache later said doesn't address all the issues. Another point in the ISS advisory which Apache disputes is a claim that only installations on Windows are vulnerable.

As it happens, Mark Litchfield of Next Generation Security Software (NGSS) had made the same discovery, but contacted Apache.org and CERT/CC, so Apache did have an advisory in the works, which ISS' premature discharge compelled them to release.

There was a posting at Slashdot suggesting that ISS was using the premature advisory as a publicity stunt; and while there's undoubtedly a lot to that, we have to wonder if there isn't something even creepier behind it. Here we see ISS publishing a vulnerability and a lame patch without so much as consulting the developer of an open-source product, but we've never seen them try to pull a stunt like that with Microsoft, say.

According to ISS, they discovered the flaw during an audit of the Apache source code. Of course with Microsoft or Sun or Oracle they'd have to play nice to get at bits of material like that. Was there some calculation that publishing a gaping hole in a very popular piece of software without warning or an adequate patch could discredit the open-source community's mechanism for handling vulnerabilities and create the perception that Apache users had better sign up for a raft of ISS services because open-source developers can't take retaliatory steps to discourage the irresponsible release of vulnerability data?

According to Mark Litchfield's brother David, Apache.org's decision to coordinate with the vendors was the right call because, "most people who use the Win32 Apache version do not have a compiler and so can't take steps to protect themselves. They're mostly relying on their Apache 'supplier' to produce a patch."

And indeed, the ISS patch is geared towards Win32 and does require the user to build the binaries. Whether Litchfield's assumption that most users are going to be stumped is correct or not, the point is a fair one which makes the ISS 'solution' appear disingenuous.

The flaw affects Apache 1.3 to and including 1.3.24, and Apache 2 to and including 2.0.36-dev, though in different ways. In the best case it can lead to a denial of service; in the worst, to remote exploitation.

"In Apache 1.3 the issue causes a stack overflow. Due to the nature of the overflow on 32-bit Unix platforms this will cause a segmentation violation and the child will terminate. However on 64-bit platforms the overflow can be controlled and so for platforms that store return addresses on the stack it is likely that it is further exploitable. This could allow arbitrary code to be run on the server as the user the Apache children are set to run as," Apache says.

In a response also posted to BugTraq, ISS insists that, "this issue is no more exploitable or unexploitable on a 32-bit platform than on a 64-bit platform. Due to the signed comparison, the minimum size passed to the memcpy() function is 0x80000000 or about 2gb. Unless Apache has over 2gb of contiguous stack memory located after the target buffer in memory, a segmentation fault will be caused. If you understand how the stack is used, you will understand that this is an impossibility."

But this too is wrong, according to Apache.org's Mark Cox. "They missed a long to int conversion that happens later in the code. This is one of the reasons that they should have talked to us before relasing their advisory; we could have told them that their patch was insufficient and helped them understand the problem better -- that way users of Apache don't have to follow a silly flame war on BugTraq and can get down to what matters most; making sure they protect their servers," Cox told us.

In any case the wind-up is simple: a malformed request can crash or even lead to the exploitation of your Apache server depending on the version, and there is not yet a comprehensive fix. ®

Related Links

ISS original advisory
Apache reply
ISS rebuttal

Boost IT visibility and business value

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
Big Blue Apple: IBM to sell iPads, iPhones to enterprises
iOS/2 gear loaded with apps for big biz ... uh oh BlackBerry
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.