===================================================================== CERT-Renater Note d'Information No. 2006/VULN346 _____________________________________________________________________ DATE : 16/06/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Solaris 8, Solaris 9, Solaris 10 running Apache 1.3 Web Server. ====================================================================== Sun(sm) Alert Notification * Sun Alert ID: 102197 * Synopsis: Security Vulnerabilities in the Apache 1.3 Web Server * Category: Security * Product: Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 Operating System * BugIDs: 6204933, 6325738, 6308127 * Avoidance: Workaround, Patch * State: Workaround * Date Released: 01-Mar-2006 * Date Closed: * Date Modified: 07-Mar-2006, 14-Jun-2006 1. Impact A vulnerability in the Apache 1.3 web server bundled with Solaris 8 and 9 may allow a local user who is able to create SSI documents which are served by Apache to execute arbitrary code with the privileges of the Apache 1.3 process. The Apache HTTP process normally runs as the unprivileged user "nobody" (uid 60001). A second vulnerability affects the Apache 1.3 web server bundled with Solaris 10 which may prevent certain configured security features from being applied to specific HTTP transactions when Apache is configured to use SSL. A third vulnerability in the Apache 1.3 web server may allow local or remote unprivileged users to bypass security protections associated with some network transactions, corrupt information stored in a web cache, or perform cross site scripting activities when the Apache web server is configured to run as a proxy. These vulnerabilities are described at the following URLs: The Change Log for Apache 1.3 at http://www.apache.org/dist/httpd/CHANGES_1.3 CAN-2004-0940: "allows local users[...] to execute arbitrary code" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940 CAN-2005-2700: "does not properly enforce 'SSLVerifyClient require' " http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700 CAN-2005-2088: "HTTP Request Smuggling" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088 2. Contributing Factors Issue (1) described above (bug 6204933) can occur in the following releases: SPARC Platform * Solaris 8 * Solaris 9 without patch 113146-07 x86 Platform * Solaris 8 * Solaris 9 without patch 114145-06 Issue (2) described above (bug 6325738) can occur in the following releases: SPARC Platform * Solaris 10 x86 Platform * Solaris 10 Issue (3) described above (bug 6308127) can occur in the following releases: SPARC Platform * Solaris 8 * Solaris 9 without patch 113146-07 * Solaris 10 x86 Platform * Solaris 8 * Solaris 9 without patch 114145-06 * Solaris 10 Note 1: A system is only vulnerable to these issues if the Apache 1.3 web server has been configured and is running on the system. The following command can be executed to check if the Apache(1M) httpd daemon is running on the system: $ /usr/bin/ps -ef | grep httpd nobody 103892 102307 0 Jan 20 ? 0:27 /usr/apache/bin/httpd Apache was not bundled with Solaris prior to Solaris 8. However, customers who have built and/or installed a vulnerable version of Apache on any version of Solaris are at risk. See the Apache web site to download the latest version of Apache which addresses these issues. Note 2: The vulnerability CAN-2004-0940 is present in versions of Apache 1.3 prior to 1.3.33. The vulnerability CAN-2005-2088 is present in versions of Apache 1.3 prior to 1.3.34. The vulnerability CAN-2005-2700 is present when Apache 1.3 is configured to use a version of the 'mod_ssl' module prior to 2.8.24. To determine the version of the Apache 1.3 web server installed on a host, the following command can be run: $ /usr/apache/bin/httpd -v Server version: Apache/1.3.33 (Unix) Server built: Jan 22 2006 01:41:39 The version number of the 'mod_ssl' module in use with Apache 1.3 is displayed in the error log when the Apache process starts. For example: $ grep mod_ssl/ /var/apache/logs/error_log [Fri Feb 17 14:50:48 2006] [notice] Apache/1.3.33 (Unix) mod_perl/1.29 mod_ssl/2.8.22 OpenSSL/0.9.7d configured -- resuming normal operations Note 3: If no 'mod_ssl' version information is displayed in the log, then the Apache 1.3 web server is not configured to use SSL and is therefore not affected by issue CAN-2005-2700. Note 4: Apache 2.0 also ships with Solaris 10, which is impacted by some of the issues referenced in this Sun Alert. For details on the impact to Apache 2.0 see Sun Alert 102198. 3. Symptoms There are no predictable symptoms that would indicate that issue (1) and (3) described above have been exploited. If the system is affected by issue (2) described above, some data served by the Apache 1.3 web server may be accessible by clients who are not able to provide the correct credentials. 4. Relief/Workaround Until patches are available and can be applied, sites may consider downloading and compiling Apache 1.3.34 or higher from the Apache site: http://httpd.apache.org and mod_ssl 2.8.24 or higher from the modssl site: http://www.modssl.org/ as an interim workaround. Note however that the downloaded software is not supported by Sun. 5. Resolution This issue is addressed in the following releases: SPARC Platform * Solaris 9 with patch 113146-07 or later x86 Platform * Solaris 9 with patch 114145-06 or later A final resolution is pending completion for Solaris 8 and Solaris 10. Change History 07-Mar-2006: * Updated Contributing Factors 14-Jun-2006: * Updated Contributing Factors and Resolution sections This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================