Apache-SSL for Apache Web Server Has Buffer Overflow That Can Be Triggered By Remote Users
|
|
SecurityTracker Alert ID: 1003723 |
|
SecurityTracker URL: http://securitytracker.com/id/1003723
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 3 2002
|
Impact:
Execution of arbitrary code via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 1.3.22+1.46
|
Description:
A vulnerability was reported in the Apache-SSL package for the Apache web server. A remote user may be able to overflow a buffer to potentially execute arbitrary code on the web server. [This vulnerability also affects mod_ssl, as was reported in a previous alert.]
It is reported that a remote user may be able to trigger a buffer overflow in the DBM and SHMHT session cache by using very large certificate chains. This is reportedly due to the unbounded nature of ASN.1 representations that could overflow a large but statically allocated buffer.
This vulnerability reportedly only affects configurations that use client-side certificates.
It is not yet clear if remote code execution is feasible.
|
Impact:
A remote user may be able to trigger a buffer overflow in Apache-SSL. It is not yet clear if remote code execution is feasible.
|
Solution:
The vendor has released a fix (1.3.22+1.46), available at locations listed on:
http://www.apache-ssl.org/
|
Vendor URL: www.apache-ssl.org/advisory-20020301.txt (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 01 Mar 2002 11:47:36 +0000
Subject: Apache-SSL buffer overflow (fix available)
|
Apache-SSL buffer overflow condition (all versions prior to 1.3.22+1.46)
------------------------------------------------------------------------
Synopsis
--------
A buffer overflow was recently found in mod_ssl, see:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html
for details. The offending code in mod_ssl was, in fact, derived from
Apache-SSL, and Apache-SSL is also vulnerable.
As in mod_ssl, this flaw can only be exploited if client certificates
are being used, and the certificate in question must be issued by a
trusted CA.
Fix
---
Download Apache-SSL 1.3.22+1.46 from the usual places (see
http://www.apache-ssl.org/).
Acknowledgements
----------------
Thanks to Ed Moyle for finding the flaw.
Rant
----
No thanks to anyone at all for alerting me before going
public. Cheers, guys.
Links
-----
This advisory can be found at:
http://www.apache-ssl.org/advisory-20020301.txt
A mirror which definitely has the new version:
ftp://opensores.thebunker.net/pub/mirrors/apache-ssl/apache_1.3.22+ssl_1.46.tar.gz
Ben Laurie, March 1, 2002.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
|
|
