The char_buffer_read function in the mod_ssl module for Apache 2.x, when using reverse proxying to an SSL server, allows remote attackers to cause a denial of service (segmentation fault).

The Apache HTTP Server 2.0.51 release notes report that the following issues have been fixed :

A segfault in mod_ssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured.
[CAN-2004-0751]

A potential infinite loop in mod_ssl which could be triggered given particular timing of a connection abort. [CAN-2004-0748]

The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs :

  - Apache
  - Apache2
  - AppKit
  - Cyrus IMAP
  - HIToolbox
  - Kerberos
  - Postfix
  - PSNormalizer
  - QuickTime Streaming Server
  - Safari
  - Terminal

These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.

The remote host is affected by the vulnerability described in GLSA-200409-21 (Apache 2, mod_dav: Multiple vulnerabilities)

    A potential infinite loop has been found in the input filter of mod_ssl     (CAN-2004-0748) as well as a possible segmentation fault in the     char_buffer_read function if reverse proxying to a SSL server is being used     (CAN-2004-0751). Furthermore, mod_dav, as shipped in Apache httpd 2 or     mod_dav 1.0.x for Apache 1.3, contains a NULL pointer dereference which can     be triggered remotely (CAN-2004-0809). The third issue is an input     validation error found in the IPv6 URI parsing routines within the apr-util     library (CAN-2004-0786). Additionally a possible buffer overflow has been     reported when expanding environment variables during the parsing of     configuration files (CAN-2004-0747).
  Impact :

    A remote attacker could cause a Denial of Service either by aborting a SSL     connection in a special way, resulting in CPU consumption, by exploiting     the segmentation fault in mod_ssl or the mod_dav flaw. A remote attacker     could also crash a httpd child process by sending a specially crafted URI.
    The last vulnerability could be used by a local user to gain the privileges     of a httpd child, if the server parses a carefully prepared .htaccess file.
  Workaround :

    There is no known workaround at this time.

Two Denial of Service conditions were discovered in the input filter of mod_ssl, the module that enables apache to handle HTTPS requests.

Another vulnerability was discovered by the ASF security team using the Codenomicon HTTP Test Tool. This vulnerability, in the apr-util library, can possibly lead to arbitrary code execution if certain non-default conditions are met (enabling the AP_ENABLE_EXCEPTION_HOOK define).

As well, the SITIC have discovered a buffer overflow when Apache expands environment variables in configuration files such as .htaccess and httpd.conf, which can lead to possible privilege escalation. This can only be done, however, if an attacker is able to place malicious configuration files on the server.

Finally, a crash condition was discovered in the mod_dav module by Julian Reschke, where sending a LOCK refresh request to an indirectly locked resource could crash the server.

The updated packages have been patched to protect against these vulnerabilities.

According to its Server response header, the remote host is running a version of Apache 2.0.x prior to 2.0.51. It is, therefore, affected by multiple vulnerabilities :

  - An input validation issue in apr-util can be triggered     by malformed IPv6 literal addresses and result in a     buffer overflow (CVE-2004-0786).

  - There is a buffer overflow that can be triggered when     expanding environment variables during configuration     file parsing (CVE-2004-0747).

  - A segfault in mod_dav_ds when handling an indirect lock     refresh can lead to a process crash (CVE-2004-0809).

  - A segfault in the SSL input filter can be triggered     if using 'speculative' mode by, for instance, a proxy     request to an SSL server (CVE-2004-0751).

  - There is the potential for an infinite loop in mod_ssl     (CVE-2004-0748).

The remote host is running a vulnerable version of Apache. It is reported that versions prior to 2.0.51 are prone to a remote buffer overflow when parsing an URI sent over IPv6. An attacker may use this vulnerability to execute arbitrary code on the remote host or to deny service to legitimate users.

Updated httpd packages that include fixes for security issues are now available.

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server.

Four issues have been discovered affecting releases of the Apache HTTP 2.0 Server, up to and including version 2.0.50 :

Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. This issue is not believed to allow arbitrary code execution on Red Hat Enterprise Linux. This issue also does not represent a significant denial of service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0786 to this issue.

The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the expansion of environment variables during configuration file parsing. This issue could allow a local user to gain 'apache' privileges if an httpd process can be forced to parse a carefully crafted .htaccess file written by a local user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0747 to this issue.

An issue was discovered in the mod_ssl module which could be triggered if the server is configured to allow proxying to a remote SSL server.
A malicious remote SSL server could force an httpd child process to crash by sending a carefully crafted response header. This issue is not believed to allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0751 to this issue.

An issue was discovered in the mod_dav module which could be triggered for a location where WebDAV authoring access has been configured. A malicious remote client which is authorized to use the LOCK method could force an httpd child process to crash by sending a particular sequence of LOCK requests. This issue does not allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0809 to this issue.

Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues.

The remote host appears to be running a version of Apache 2.x that is older than 2.0.51. It is reported that these versions of Apache are prone to a denial of service issue related to mod_ssl. An attacker may deny service to legitimate users if the remote server uses a 'RewriteRule' to enable reverse proxying to a SSL origin server.

The remote host is missing the patch for the advisory SUSE-SA:2004:030 (apache2).


The mod_ssl apache module, as part of our apache2 package, enables the apache webserver to handle the HTTPS protocol.
Within the mod_ssl module, two Denial of Service conditions in the input filter have been found. The CVE project assigned the identifiers CVE-2004-0748 and CVE-2004-0751 to these issues.

The remote host appears to be running a version of Apache 2.x that is older than 2.0.51. It is reported that these versions of Apache are prone to a denial of service issue related to mod_ssl. An attacker may force a SSL connection to be aborted and therefore cause the Apache server to enter in an infinite loop, consuming CPU resources. 

Updated httpd packages that include a security fix for mod_ssl and various enhancements are now available.

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server.

An input filter bug in mod_ssl was discovered in Apache httpd version 2.0.50 and earlier. A remote attacker could force an SSL connection to be aborted in a particular state and cause an Apache child process to enter an infinite loop, consuming CPU resources. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0748 to this issue.

Additionally, this update includes the following enhancements and bug fixes :

  - included an improved version of the mod_cgi module that     correctly handles concurrent output on stderr and stdout

  - included support for direct lookup of SSL variables     using %{SSL:...} from mod_rewrite, or using %{...}s from     mod_headers

  - restored support for use of SHA1-encoded passwords

  - added the mod_ext_filter module

Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues.

The remote host appears to be running a version of Apache 2.x that is older than 2.0.51. It is reported that these versions of Apache are prone to a denial of service issue related to mod_ssl. An attacker may force a SSL connection to be aborted and therefore cause the Apache server to enter in an infinite loop, consuming CPU resources.

ID	Name	Product	Family	Severity
37076	FreeBSD : apache2 -- SSL remote DoS (7b81fc47-239f-11d9-814e-0001020eed82)	Nessus	FreeBSD Local Security Checks	medium
15898	Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)	Nessus	MacOS X Local Security Checks	high
14766	GLSA-200409-21 : Apache 2, mod_dav: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
14752	Mandrake Linux Security Advisory : apache2 (MDKSA-2004:096)	Nessus	Mandriva Local Security Checks	high
14748	Apache 2.0.x < 2.0.51 Multiple Vulnerabilities (OF, DoS)	Nessus	Web Servers	medium
2292	Apache < 2.0.51 IPv6 Remote Buffer Overflow	Nessus Network Monitor	Web Servers	medium
14736	RHEL 3 : httpd (RHSA-2004:463)	Nessus	Red Hat Local Security Checks	medium
2276	Apache < 2.0.51 mod_ssl Rewrite Rules DoS	Nessus Network Monitor	Web Servers	medium
14667	SUSE-SA:2004:030: apache2	Nessus	SuSE Local Security Checks	medium
2254	Apache < 2.0.51 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
14624	RHEL 3 : httpd (RHSA-2004:349)	Nessus	Red Hat Local Security Checks	medium
800587	Apache < 2.0.51 mod_ssl Rewrite Rules DoS	Log Correlation Engine	Web Servers	medium
800564	Apache < 2.0.51 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	medium

Detections

Analytics

CVE-2004-0751

high

Tenable Plugins

medium

high

medium

high

medium

medium

medium

medium

medium

high

medium

medium

medium