lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.

According to its banner, the version of lighttpd running on the remote host is prior to 1.4.34. It is, therefore, affected by the following vulnerabilities :

 - When Server Name Indication (SNI) is enabled, a flaw exists that could cause the application to use all available SSL ciphers, including weak ciphers. Remote attackers could potentially hijack sessions or obtain sensitive information by sniffing the network. Note only versions 1.4.24 to 1.4.33 are affected. (CVE-2013-4508)

 - A flaw exists in the clang static analyzer because it fails to perform checks around setuid (1), setgid (2), and setgroups (3) calls. This could allow a remote attacker to gain elevated privileges. (CVE-2013-4559)

 - A use-after-free error exists in the clang static analyzer, when the FAM stat cache engine is enabled. This could allow remote attackers to dereference already freed memory and crash the program. (CVE-2013-4560)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201406-10 (lighttpd: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in lighttpd. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could create a Denial of Service condition.
      Futhermore, a remote attacker may be able to execute arbitrary SQL       statements.
  Workaround :

    There is no known workaround at this time.

- added cve-2013-4508.patch and     cve-2013-4508-regression-bug729480.patch: (bnc#849059)     When defining an ssl.cipher-list, it works for the     'default' HTTPS setup ($SERVER['socket'] 443 block), but     when you utilize SNI ($HTTP['host'] blocks within the     $SERVER['socket'] block) the ssl.cipher-list seems to     not inherit into the host blocks and instead will     default to include all of the available openssl ciphers     (except SSL v2/v3 based if those are disabled)

  - added cve-2013-4559.patch (bnc#850468) check success of     setuid,setgid,setgroups

  - added cve-2013-4560.patch (bnc#850469) FAM: fix use     after free

  - added cve-2013-4508.patch and     cve-2013-4508-regression-bug729480.patch: (bnc#849059)     When defining an ssl.cipher-list, it works for the     'default' HTTPS setup ($SERVER['socket'] 443 block), but     when you utilize SNI ($HTTP['host'] blocks within the     $SERVER['socket'] block) the ssl.cipher-list seems to     not inherit into the host blocks and instead will     default to include all of the available openssl ciphers     (except SSL v2/v3 based if those are disabled)

  - added cve-2013-4559.patch (bnc#850468) check success of     setuid,setgid,setgroups

  - added cve-2013-4560.patch (bnc#850469) FAM: fix use     after free

  - added cve-2013-4508.patch and     cve-2013-4508-regression-bug729480.patch: (bnc#849059)     When defining an ssl.cipher-list, it works for the     'default' HTTPS setup ($SERVER['socket'] 443 block), but     when you utilize SNI ($HTTP['host'] blocks within the     $SERVER['socket'] block) the ssl.cipher-list seems to     not inherit into the host blocks and instead will     default to include all of the available openssl ciphers     (except SSL v2/v3 based if those are disabled)

  - added cve-2013-4559.patch (bnc#850468) check success of     setuid,setgid,setgroups

  - added cve-2013-4560.patch (bnc#850469) FAM: fix use     after free

Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures.

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.

lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.

According to its banner, the version of lighttpd running on the remote host is prior to 1.4.34. It is, therefore, affected by the following vulnerabilities :

  - When Server Name Indication (SNI) is enabled, a flaw     exists that could cause the application to use all     available SSL ciphers, including weak ciphers. Remote     attackers could potentially hijack sessions or obtain     sensitive information by sniffing the network.
    Note only versions 1.4.24 to 1.4.33 are affected.
    (CVE-2013-4508)

  - A flaw exists in the clang static analyzer because it     fails to perform checks around setuid (1), setgid (2),     and setgroups (3) calls. This could allow a remote     attacker to gain elevated privileges. (CVE-2013-4559)

  - A use-after-free error exists in the clang static     analyzer, when the FAM stat cache engine is enabled.
    This could allow remote attackers to dereference     already freed memory and crash the program.
    (CVE-2013-4560)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Enable building with PIE Latest upstream, multiple security fixes.

http://www.lighttpd.net/2014/1/20/1-4-34/ Latest upstream, multiple security fixes.

http://www.lighttpd.net/2014/1/20/1-4-34/

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

lighttpd security advisories report :

It is possible to inadvertantly enable vulnerable ciphers when using ssl.cipher-list.

In certain cases setuid() and similar can fail, potentially triggering lighttpd to restart running as root.

If FAMMonitorDirectory fails, the memory intended to store the context is released; some lines below the 'version' compoment of that context is read. Reading invalid data doesn't matter, but the memory access could trigger a segfault.

Updated lighttpd packages fix security vulnerabilities :

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network (CVE-2013-4508).

In lighttpd before 1.4.34, if setuid() fails for any reason, for instance if an environment limits the number of processes a user can have and the target uid already is at the limit, lighttpd will run as root. A user who can run CGI scripts could clone() often; in this case a lighttpd restart would end up with lighttpd running as root, and the CGI scripts would run as root too (CVE-2013-4559).

In lighttpd before 1.4.34, if fam is enabled and there are directories reachable from configured doc roots and aliases on which FAMMonitorDirectory fails, a remote client could trigger a DoS (CVE-2013-4560).

Several vulnerabilities have been discovered in the lighttpd web server.

It was discovered that SSL connections with client certificates stopped working after the DSA-2795-1 update of lighttpd. An upstream patch has now been applied that provides an appropriate identifier for client certificate verification.

  - CVE-2013-4508     It was discovered that lighttpd uses weak ssl ciphers     when SNI (Server Name Indication) is enabled. This issue     was solved by ensuring that stronger ssl ciphers are     used when SNI is selected.

  - CVE-2013-4559     The clang static analyzer was used to discover privilege     escalation issues due to missing checks around     lighttpd's setuid, setgid, and setgroups calls. Those     are now appropriately checked.

  - CVE-2013-4560     The clang static analyzer was used to discover a     use-after-free issue when the FAM stat cache engine is     enabled, which is now fixed.

ID	Name	Product	Family	Severity
112357	lighttpd < 1.4.34 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
76062	GLSA-201406-10 : lighttpd: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
75389	openSUSE Security Update : lighttpd (openSUSE-SU-2014:0072-1)	Nessus	SuSE Local Security Checks	high
72947	Amazon Linux AMI : lighttpd (ALAS-2014-299)	Nessus	Amazon Linux Local Security Checks	high
72815	lighttpd < 1.4.34 Multiple Vulnerabilities	Nessus	Web Servers	high
72652	Fedora 19 : lighttpd-1.4.34-3.fc19 (2014-2506)	Nessus	Fedora Local Security Checks	high
72651	Fedora 20 : lighttpd-1.4.34-3.fc20 (2014-2495)	Nessus	Fedora Local Security Checks	high
72494	FreeBSD : lighttpd -- multiple vulnerabilities (90b27045-9530-11e3-9d09-000c2980a9f3)	Nessus	FreeBSD Local Security Checks	high
71031	Mandriva Linux Security Advisory : lighttpd (MDVSA-2013:277)	Nessus	Mandriva Local Security Checks	high
70982	Debian DSA-2795-2 : lighttpd - several vulnerabilities	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2013-4508

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high