Home - Articles - Messageboard

Attacking Open Source
By: bilbrey on 2002-06-27 18:12:14
Section 1 - Security is the object

< print >
< articles home > next >>

When it comes right down to it, in both the Apache and OpenSSH cases, the vulnerabilities were patched in a very short period of time. But I have a number of questions about what's been going on. But first, let's look at the Apache problem. This link leads to the initial advisory, from the ISS site. It was issued widely across the net, including a posting to BugTraq. Here's the synopsis:

ISS X-Force has discovered a serious vulnerability in the default version of Apache HTTP Server. Apache is the most popular Web server and is used on over half of all Web servers on the Internet. It may be possible for remote attackers to exploit this vulnerability to compromise Apache Web servers. Successful exploitation may lead to modified Web content, denial of service, or further compromise.

One small problem, or maybe more... First, the Apache Foundation developers had already found the problem while exploring another issue, and were working on it. ISS might have learned this had they bothered to have a dialog with the Apache people prior to their "Full Disclosure". One other little problem with their advisory is that they [ISS] also developed and released a source patch for Apache, independently of and without the advice or testing of the Apache developers. That patch did not adequately address the problem, nor was it appropriate for them to do that.

The Apache Foundation then quickly addressed the issue themselves in this release, including this introduction:

While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some platforms results in a denial of service vulnerability, while on some other platforms presents a potential a remote exploit vulnerability.

We were also notified today by ISS that they had published the same issue which has forced the early release of this advisory.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0392 to this issue.

And the fur began to fly. ISS backpedalled a bit, but remained aggressive, while the Apache people continued to hack away at a real solution. Within 24 hourse, patched versions in both the 1.X and 2.X trees were available for vendors to use in release security-updated packages to their distribution customer base. Gentoo and Debian were out the same day. I'll assume that other distros weren't far behind. Here's the latest announcement on the Apache site:

UPDATE: (supersedes security bulletin 20020617)

This follow-up to our earlier advisory is to warn of known-exploitable conditions related to this vulnerability on both 64-bit platforms and 32-bit platforms alike. Though we previously reported that 32-bit platforms were not remotely exploitable, it has since been proven by Gobbles that certain conditions allowing exploitation do exist.

Successful exploitation of this vulnerability can lead to the execution of arbitrary code on the server with the permissions of the web server child process. This can facilitate the further exploitation of vulnerabilities unrelated to Apache on the local system, potentially allowing the intruder root access.

Note that early patches for this issue released by ISS and others do not address its full scope.

Due to the existence of exploits circulating in the wild for some platforms, the risk is considered high. The Apache Software Foundation has released versions 1.3.26 and 2.0.39 that address and fix this issue, and all users are urged to upgrade immediately. These versions are available for download; see below.

OK. So that was last week. What's going on now?

< articles home > next >>