The IPv6 URI parsing routines in the apr-util library for Apache 2.0.50 and earlier allow remote attackers to cause a denial of service (child process crash) via a certain URI, as demonstrated using the Codenomicon HTTP Test Tool.

The Apache Software Foundation Security Team discovered a programming error in the apr-util library function apr_uri_parse. When parsing IPv6 literal addresses, it is possible that a length is incorrectly calculated to be negative, and this value is passed to memcpy. This may result in an exploitable vulnerability on some platforms, including FreeBSD.

The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs :

  - Apache
  - Apache2
  - AppKit
  - Cyrus IMAP
  - HIToolbox
  - Kerberos
  - Postfix
  - PSNormalizer
  - QuickTime Streaming Server
  - Safari
  - Terminal

These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.

The remote host is affected by the vulnerability described in GLSA-200409-21 (Apache 2, mod_dav: Multiple vulnerabilities)

    A potential infinite loop has been found in the input filter of mod_ssl     (CAN-2004-0748) as well as a possible segmentation fault in the     char_buffer_read function if reverse proxying to a SSL server is being used     (CAN-2004-0751). Furthermore, mod_dav, as shipped in Apache httpd 2 or     mod_dav 1.0.x for Apache 1.3, contains a NULL pointer dereference which can     be triggered remotely (CAN-2004-0809). The third issue is an input     validation error found in the IPv6 URI parsing routines within the apr-util     library (CAN-2004-0786). Additionally a possible buffer overflow has been     reported when expanding environment variables during the parsing of     configuration files (CAN-2004-0747).
  Impact :

    A remote attacker could cause a Denial of Service either by aborting a SSL     connection in a special way, resulting in CPU consumption, by exploiting     the segmentation fault in mod_ssl or the mod_dav flaw. A remote attacker     could also crash a httpd child process by sending a specially crafted URI.
    The last vulnerability could be used by a local user to gain the privileges     of a httpd child, if the server parses a carefully prepared .htaccess file.
  Workaround :

    There is no known workaround at this time.

Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0786 to this issue.

This update includes a backported fix for this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0786 to this issue.

This update includes a backported patch for this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Two Denial of Service conditions were discovered in the input filter of mod_ssl, the module that enables apache to handle HTTPS requests.

Another vulnerability was discovered by the ASF security team using the Codenomicon HTTP Test Tool. This vulnerability, in the apr-util library, can possibly lead to arbitrary code execution if certain non-default conditions are met (enabling the AP_ENABLE_EXCEPTION_HOOK define).

As well, the SITIC have discovered a buffer overflow when Apache expands environment variables in configuration files such as .htaccess and httpd.conf, which can lead to possible privilege escalation. This can only be done, however, if an attacker is able to place malicious configuration files on the server.

Finally, a crash condition was discovered in the mod_dav module by Julian Reschke, where sending a LOCK refresh request to an indirectly locked resource could crash the server.

The updated packages have been patched to protect against these vulnerabilities.

According to its Server response header, the remote host is running a version of Apache 2.0.x prior to 2.0.51. It is, therefore, affected by multiple vulnerabilities :

  - An input validation issue in apr-util can be triggered     by malformed IPv6 literal addresses and result in a     buffer overflow (CVE-2004-0786).

  - There is a buffer overflow that can be triggered when     expanding environment variables during configuration     file parsing (CVE-2004-0747).

  - A segfault in mod_dav_ds when handling an indirect lock     refresh can lead to a process crash (CVE-2004-0809).

  - A segfault in the SSL input filter can be triggered     if using 'speculative' mode by, for instance, a proxy     request to an SSL server (CVE-2004-0751).

  - There is the potential for an infinite loop in mod_ssl     (CVE-2004-0748).

The remote host is running a vulnerable version of Apache. It is reported that versions prior to 2.0.51 are prone to a remote buffer overflow when parsing an URI sent over IPv6. An attacker may use this vulnerability to execute arbitrary code on the remote host or to deny service to legitimate users.

The remote host is running a vulnerable version of Apache. It is reported that versions prior 2.0.51 are prone to a local buffer overflow when processing ${ENVVAR} constructs in .htaccess and httpd.conf files. An attacker with interactive access to the computer may use this flaw to execute arbitrary code in the context of the web server.

Updated httpd packages that include fixes for security issues are now available.

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server.

Four issues have been discovered affecting releases of the Apache HTTP 2.0 Server, up to and including version 2.0.50 :

Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. This issue is not believed to allow arbitrary code execution on Red Hat Enterprise Linux. This issue also does not represent a significant denial of service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0786 to this issue.

The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the expansion of environment variables during configuration file parsing. This issue could allow a local user to gain 'apache' privileges if an httpd process can be forced to parse a carefully crafted .htaccess file written by a local user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0747 to this issue.

An issue was discovered in the mod_ssl module which could be triggered if the server is configured to allow proxying to a remote SSL server.
A malicious remote SSL server could force an httpd child process to crash by sending a carefully crafted response header. This issue is not believed to allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0751 to this issue.

An issue was discovered in the mod_dav module which could be triggered for a location where WebDAV authoring access has been configured. A malicious remote client which is authorized to use the LOCK method could force an httpd child process to crash by sending a particular sequence of LOCK requests. This issue does not allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0809 to this issue.

Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues.

The remote host is missing the patch for the advisory SUSE-SA:2004:032 (apache2).


The Apache daemon is running on most of the web-servers used in the Internet today.
The Red Hat ASF Security-Team and the Swedish IT Incident Center within the National Post and Telecom Agency (SITIC) have found a bug in apache2 each.
The first vulnerability appears in the apr_uri_parse() function while handling IPv6 addresses. The affected code passes a negative length argument to the memcpy() function. On BSD systems this can lead to remote command execution due to the nature of the memcpy() implementation.
On Linux this bug will result in a remote denial-of-service condition.
The second bug is a local buffer overflow that occurs while expanding ${ENVVAR} in the .htaccess and httpd.conf file. Both files are not writeable by normal user by default.

The remote host appears to be running a version of Apache 2.x that is older than 2.0.51. It is reported that these versions of Apache are prone to a denial of service issue related to mod_ssl. An attacker may deny service to legitimate users if the remote server uses a 'RewriteRule' to enable reverse proxying to a SSL origin server.

The remote host appears to be running a version of Apache 2.x that is older than 2.0.51. It is reported that these versions of Apache are prone to a denial of service issue related to mod_ssl. An attacker may force a SSL connection to be aborted and therefore cause the Apache server to enter in an infinite loop, consuming CPU resources. 

ID	Name	Product	Family	Severity
37109	FreeBSD : apache -- apr_uri_parse IPv6 address handling vulnerability (762d1c6d-0722-11d9-b45d-000c41e2cdad)	Nessus	FreeBSD Local Security Checks	medium
15898	Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)	Nessus	MacOS X Local Security Checks	high
14766	GLSA-200409-21 : Apache 2, mod_dav: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
14765	Fedora Core 2 : apr-util-0.9.4-14.2 (2004-308)	Nessus	Fedora Local Security Checks	medium
14764	Fedora Core 1 : apr-util-0.9.4-2.1 (2004-307)	Nessus	Fedora Local Security Checks	medium
14752	Mandrake Linux Security Advisory : apache2 (MDKSA-2004:096)	Nessus	Mandriva Local Security Checks	high
14748	Apache 2.0.x < 2.0.51 Multiple Vulnerabilities (OF, DoS)	Nessus	Web Servers	medium
2292	Apache < 2.0.51 IPv6 Remote Buffer Overflow	Nessus Network Monitor	Web Servers	medium
2290	Apache < 2.0.51 ${ENVVAR} Local Overflow	Nessus Network Monitor	Web Servers	medium
14736	RHEL 3 : httpd (RHSA-2004:463)	Nessus	Red Hat Local Security Checks	medium
14731	SUSE-SA:2004:032: apache2	Nessus	SuSE Local Security Checks	medium
2276	Apache < 2.0.51 mod_ssl Rewrite Rules DoS	Nessus Network Monitor	Web Servers	medium
2254	Apache < 2.0.51 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
800587	Apache < 2.0.51 mod_ssl Rewrite Rules DoS	Log Correlation Engine	Web Servers	medium
800564	Apache < 2.0.51 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	medium
800562	Apache < 2.0.51 ${ENVVAR} Local Overflow	Log Correlation Engine	Web Servers	medium
800560	Apache < 2.0.51 IPv6 Remote Buffer Overflow	Log Correlation Engine	Web Servers	medium

Detections

Analytics

CVE-2004-0786

high

Tenable Plugins

medium

high

medium

medium

medium

high

medium

medium

medium

medium

medium

medium

high

medium

medium

medium

medium