The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and Apache-SSL before 1.3.22+1.46, does not properly initialize memory using the i2d_SSL_SESSION function, which allows remote attackers to use a buffer overflow to execute arbitrary code via a large client certificate that is signed by a trusted Certificate Authority (CA), which produces a large serialized session.

Ed Moyle recently found a buffer overflow in Apache-SSL and mod_ssl.
With session caching enabled, mod_ssl will serialize SSL session variables to store them for later use. These variables were stored in a buffer of a fixed size without proper boundary checks.

To exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. If these conditions are met, it would be possible for an attacker to execute arbitrary code on the server.

The remote host is using a version of Apache-SSL which is older than 1.47. This version is vulnerable to a buffer overflow which may allow an attacker to execute arbitrary commands on this host. 

The remote Apache server is running a version of mod_ssl which is older than 2.8.7. There is a bug in this module which may allow an attacker to obtain a shell on this host.

Ed Moyle discovered a buffer overflow in mod_ssl's session caching mechanisms that use shared memory and dbm. This could potentially be triggered by sending a very long client certificate to the server.

The remote host is using a version of Apache-SSL that is older than 1.3.22+1.46.  Such versions are vulnerable to a buffer overflow that, albeit difficult to exploit, may allow an attacker to execute arbitrary commands on this host subject to the privileges under which the web server operates.

According to the web server banner, the remote host is using a vulnerable version of mod_ssl. This version has a buffer overflow vulnerability. A remote attacker could exploit this issue to execute arbitrary code.

*** Some vendors patched older versions of mod_ssl, so this *** might be a false positive. Check with your vendor to determine *** if you have a version of mod_ssl that is patched for this *** vulnerability.

The remote host is using a version of Apache-SSL which is older than 1.47. This version is vulnerable to a buffer overflow which may allow an attacker to execute arbitrary commands on this host.

ID	Name	Product	Family	Severity
14957	Debian DSA-120-1 : mod_ssl - buffer overflow	Nessus	Debian Local Security Checks	high
1496	Apache-SSL < 1.47 mod_ssl i2d_SSL_SESSION Function Overflow	Nessus Network Monitor	Web Servers	high
1513	Apache mod_ssl Session Cache Code Overflow	Nessus Network Monitor	Web Servers	high
13928	Mandrake Linux Security Advisory : mod_ssl (MDKSA-2002:020)	Nessus	Mandriva Local Security Checks	high
10918	Apache-SSL < 1.3.23+1.46 i2d_SSL_SESSION Function SSL Client Certificate Overflow	Nessus	Web Servers	high
10888	Apache mod_ssl i2d_SSL_SESSION Function SSL Client Certificate Overflow	Nessus	Web Servers	high
800591	Apache-SSL < 1.47 mod_ssl i2d_SSL_SESSION Function Overflow	Log Correlation Engine	Web Servers	high
800557	Apache mod_ssl Session Cache Code Overflow	Log Correlation Engine	Web Servers	high

Detections

Analytics

CVE-2002-0082

critical

Tenable Plugins

high

high

high

high

high

high

high

high