The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers.

According to its banner, the version of Apache 2.4.x running on the remote host is prior to 2.4.12. It is, therefore, affected by the following vulnerabilities :

 - A flaw exists in module mod_headers that can allow HTTP trailers to replace HTTP headers late during request processing, which a remote attacker can exploit to inject arbitrary headers. This can also cause some modules to function incorrectly or appear to function incorrectly. (CVE-2013-5704)

 - A NULL pointer dereference flaw exists in module mod_cache. A remote attacker, using an empty HTTP Content-Type header, can exploit this vulnerability to crash a caching forward proxy configuration, resulting in a denial of service if using a threaded MPM. (CVE-2014-3581)

 - A out-of-bounds memory read flaw exists in module mod_proxy_fcgi. An attacker, using a remote FastCGI server to send long response headers, can exploit this vulnerability to cause a denial of service by causing a buffer over-read. (CVE-2014-3583)

 - A flaw exists in module mod_lua when handling a LuaAuthzProvider used in multiple Require directives with different arguments. An attacker can exploit this vulnerability to bypass intended access restrictions. (CVE-2014-8109)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201701-36 (Apache: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache. Please review       the CVE identifiers, upstream Apache Software Foundation documentation,       and HTTPoxy website referenced below for details.
  Impact :

    A remote attacker could cause a Denial of Service condition via multiple       vectors or response splitting and cache pollution. Additionally, an       attacker could intercept unsecured (HTTP) transmissions via the HTTPoxy       vulnerability.
  Workaround :

    There is no known workaround at this time.

The remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.5. The installed version is affected by multiple vulnerabilities in the following components :

 - apache (CVE-2014-3581, CVE-2014-3583, CVE-2014-8109, CVE-2015-0228, CVE-2015-0253, CVE-2015-3183, CVE-2015-3185)
 - apache_mod_php (CVE-2015-2783, CVE-2015-2787, CVE-2015-3307, CVE-2015-3329, CVE-2015-3330, CVE-2015-4021, CVE-2015-4022, CVE-2015-4024, CVE-2015-4025, CVE-2015-4026, CVE-2015-4147, CVE-2015-4148)
 - Apple ID OD Plug-in (CVE-2015-3799)
 - AppleGraphicsControl (CVE-2015-5768)
 - Bluetooth (CVE-2015-3777, CVE-2015-3779, CVE-2015-3780, CVE-2015-3786, CVE-2015-3787)
 - bootp (CVE-2015-3778)
 - CloudKit (CVE-2015-3782)
 - CoreMedia Playback (CVE-2015-5777, CVE-2015-5778)
 - CoreText (CVE-2015-5761, CVE-2015-5755)
 - curl (CVE-2014-3613, CVE-2014-3620, CVE-2014-3707, CVE-2014-8150, CVE-2014-8151, CVE-2015-3143, CVE-2015-3144, CVE-2015-3145, CVE-2015-3148, CVE-2015-3153)
 - Data Detectors Engine (CVE-2015-5750)
 - Date & Time pref pane (CVE-2015-3757)
 - Dictionary Application (CVE-2015-3774)
 - DiskImages (CVE-2015-3800)
 - dyld (CVE-2015-3760)
 - FontParser (CVE-2015-3804, CVE-2015-5775, CVE-2015-5756)
 - groff (CVE-2009-5044, CVE-2009-5078)
 - ImageIO (CVE-2015-5758, CVE-2015-5781, CVE-2015-5782)
 - Install Framework Legacy (CVE-2015-5784, CVE-2015-5754)
 - IOFireWireFamily (CVE-2015-3769, CVE-2015-3771, CVE-2015-3772)
 - IOGraphics (CVE-2015-3770, CVE-2015-5783)
 - IOHIDFamily (CVE-2015-5774)
 - Kernel (CVE-2015-3766, CVE-2015-3768, CVE-2015-5747, CVE-2015-5748, CVE-2015-3806, CVE-2015-3803, CVE-2015-3802, CVE-2015-3805, CVE-2015-3776, CVE-2015-3761)
 - Libc (CVE-2015-3796, CVE-2015-3797, CVE-2015-3798)
 - Libinfo (CVE-2015-5776)
 - libpthread (CVE-2015-5757)
 - libxml2 (CVE-2014-0191, CVE-2014-3660, CVE-2015-3807)
 - libxpc (CVE-2015-3795)
 - mail_cmds (CVE-2014-7844)
 - Notification Center OSX (CVE-2015-3764)
 - ntfs (CVE-2015-5763)
 - OpenSSH (CVE-2015-5600)
 - OpenSSL (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792)
 - perl (CVE-2013-7422)
 - PostgreSQL (CVE-2014-0067, CVE-2014-8161, CVE-2015-0241, CVE-2015-0242, CVE-2015-0243, CVE-2015-0244)
 - python (CVE-2013-7040, CVE-2013-7338, CVE-2014-1912, CVE-2014-7185, CVE-2014-9365)
 - QL Office (CVE-2015-5773, CVE-2015-3784)
 - Quartz Composer Framework (CVE-2015-5771)
 - Quick Look (CVE-2015-3781)
 - QuickTime 7 (CVE-2015-3779, CVE-2015-5753, CVE-2015-5779, CVE-2015-3765, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3791, CVE-2015-3792, CVE-2015-5751)
 - SceneKit (CVE-2015-5772, CVE-2015-3783)
 - Security (CVE-2015-3775)
 - SMBClient (CVE-2015-3773)
 - Speech UI (CVE-2015-3794)
 - sudo (CVE-2013-1775, CVE-2013-1776, CVE-2013-2776, CVE-2013-2777, CVE-2014-0106, CVE-2014-9680)
 - tcpdump (CVE-2014-8767, CVE-2014-8769, CVE-2014-9140)
 - Text Formats (CVE-2015-3762)
 - udf (CVE-2015-3767)

 Note that successful exploitation of the most serious issues can result in arbitrary code execution.

An updated mod_proxy_fcgi package that fixes one security issue is now available for Red Hat Ceph Storage 1.2 for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Red Hat Ceph Storage is a massively scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment tools, and support services.

The mod_proxy_fcgi package provides a proxy module for the Apache 2.2 HTTP server.

A buffer overflow flaw was found in mod_proxy_fcgi's handle_headers() function. A malicious FastCGI server that httpd is configured to connect to could send a carefully crafted response that would cause an httpd child process handling the request to crash. (CVE-2014-3583)

All mod_proxy_fcgi users are advised to upgrade to this updated package, which corrects this issue.

The remote Mac OS X host has a version of OS X Server installed that is prior to 5.0.3. It is, therefore, affected by the following vulnerabilities :

  - A flaw exists in the mod_headers module that allows HTTP     trailers to replace HTTP headers late during request     processing. A remote attacker can exploit this to inject     arbitrary headers. This can also cause some modules to     function incorrectly or appear to function incorrectly.
    (CVE-2013-5704)

  - A privilege escalation vulnerability exists due to the     'make check' command not properly invoking initdb to     specify authentication requirements for a database     cluster to be used for tests. A local attacker can     exploit this issue to gain temporary server access and     elevated privileges. (CVE-2014-0067)

  - A NULL pointer dereference flaw exists in module     mod_cache. A remote attacker, using an empty HTTP     Content-Type header, can exploit this vulnerability to     crash a caching forward proxy configuration, resulting     in a denial of service if using a threaded MPM.
    (CVE-2014-3581)

  - A out-of-bounds memory read flaw exists in module     mod_proxy_fcgi. An attacker, using a remote FastCGI     server to send long response headers, can exploit this     vulnerability to cause a denial of service by causing     a buffer over-read. (CVE-2014-3583)

  - A flaw exists in module mod_lua when handling a     LuaAuthzProvider used in multiple Require directives     with different arguments. An attacker can exploit this     vulnerability to bypass intended access restrictions.
    (CVE-2014-8109)

  - An information disclosure vulnerability exists due to     improper handling of restricted column values in     constraint-violation error messages. An authenticated,     remote attacker can exploit this to gain access to     sensitive information. (CVE-2014-8161)

  - A flaw exists within the Domain Name Service due to an     error in the code used to follow delegations. A remote     attacker, with a maliciously-constructed zone or query,     can cause the service to issue unlimited queries,     resulting in resource exhaustion. (CVE-2014-8500)

  - A flaw exists in the lua_websocket_read() function in     the 'mod_lua' module due to incorrect handling of     WebSocket PING frames. A remote attacker can exploit     this, by sending a crafted WebSocket PING frame after a     Lua script has called the wsupgrade() function, to crash     a child process, resulting in a denial of service     condition. (CVE-2015-0228)

  - Multiple vulnerabilities exist due to several buffer     overflow errors related to the 'to_char' functions. An     authenticated, remote attacker can exploit these issues     to cause a denial of service or arbitrary code     execution. (CVE-2015-0241)

  - Multiple vulnerabilities exist due to several     stack-based buffer overflow errors in various *printf()     functions. The overflows are due to improper validation     of user-supplied input when formatting a floating point     number where the requested precision is greater than     approximately 500. An authenticated, remote attacker     can exploit these issues to cause a denial of service or     arbitrary code execution. (CVE-2015-0242)

  - Multiple vulnerabilities exist due to an overflow     condition in multiple functions in the 'pgcrypto'     extension. The overflows are due to improper validation     of user-supplied input when tracking memory sizes. An     authenticated, remote attacker can exploit these issues     to cause a denial of service or arbitrary code     execution. (CVE-2015-0243)

  - A SQL injection vulnerability exists due to improper     sanitization of user-supplied input when handling     crafted binary data within a command parameter. An     authenticated, remote attacker can exploit this issue     to inject or manipulate SQL queries, allowing the     manipulation or disclosure of arbitrary data.
    (CVE-2015-0244)

  - A NULL pointer dereference flaw exists in the     read_request_line() function due to a failure to     initialize the protocol structure member. A remote     attacker can exploit this flaw, on installations that     enable the INCLUDES filter and has an ErrorDocument 400     directive specifying a local URI, by sending a request     that lacks a method, to cause a denial of service     condition. (CVE-2015-0253)

  - A denial of service vulnerability exists due to an error     relating to DNSSEC validation and the managed-keys     feature. A remote attacker can trigger an incorrect     trust-anchor management scenario in which no key is     ready for use, resulting in an assertion failure and     daemon crash. (CVE-2015-1349)

  - A flaw exists in PostgreSQL client disconnect timeout     expiration that is triggered when a timeout interrupt     is fired partway through the session shutdown sequence.     (CVE-2015-3165)

  - A flaw exists in the printf() functions due to a failure     to check for errors. A remote attacker can use this to     gain access to sensitive information. (CVE-2015-3166)

  - The pgcrypto component in PostgreSQL has multiple error     messages for decryption with an incorrect key. A remote     attacker can use this to recover keys from other     systems. (CVE-2015-3167)

  - A flaw exists in the chunked transfer coding     implementation due to a failure to properly parse chunk     headers. A remote attacker can exploit this to conduct     HTTP request smuggling attacks. (CVE-2015-3183)

  - A flaw exists in the ap_some_auth_required() function     due to a failure to consider that a Require directive     may be associated with an authorization setting rather     than an authentication setting. A remote attacker can     exploit this, if a module that relies on the 2.2 API     behavior exists, to bypass intended access restrictions.
    (CVE-2015-3185)

  - Multiple unspecified XML flaws exist in the Wiki Server     based on Twisted. (CVE-2015-5911)

The remote host is running a version of Mac OS X 10.8.5 or 10.9.5 that is missing Security Update 2015-006. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - apache_mod_php
  - CoreText
  - FontParser
  - Libinfo
  - libxml2
  - OpenSSL
  - perl
  - PostgreSQL
  - QL Office
  - Quartz Composer Framework
  - QuickTime 7
  - SceneKit

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - apache_mod_php
  - Apple ID OD Plug-in
  - AppleGraphicsControl
  - Bluetooth
  - bootp
  - CloudKit
  - CoreMedia Playback
  - CoreText
  - curl
  - Data Detectors Engine
  - Date & Time pref pane
  - Dictionary Application
  - DiskImages
  - dyld
  - FontParser
  - groff
  - ImageIO
  - Install Framework Legacy
  - IOFireWireFamily
  - IOGraphics
  - IOHIDFamily
  - Kernel
  - Libc
  - Libinfo
  - libpthread
  - libxml2
  - libxpc
  - mail_cmds
  - Notification Center OSX
  - ntfs
  - OpenSSH
  - OpenSSL
  - perl
  - PostgreSQL
  - python
  - QL Office
  - Quartz Composer Framework
  - Quick Look
  - QuickTime 7
  - SceneKit
  - Security
  - SMBClient
  - Speech UI
  - sudo
  - tcpdump
  - Text Formats
  - udf 

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

- core: fix bypassing of mod_headers rules via chunked     requests (CVE-2013-5704)

    - mod_cache: fix NULL pointer dereference on empty       Content-Type (CVE-2014-3581)

    - mod_proxy_fcgi: fix a potential crash with long       headers (CVE-2014-3583)

    - mod_lua: fix handling of the Require line when a       LuaAuthzProvider is used in multiple Require       directives with different arguments (CVE-2014-8109)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Martin Holst Swende discovered that the mod_headers module allowed HTTP trailers to replace HTTP headers during request processing. A remote attacker could possibly use this issue to bypass RequestHeaders directives. (CVE-2013-5704)

Mark Montague discovered that the mod_cache module incorrectly handled empty HTTP Content-Type headers. A remote attacker could use this issue to cause the server to stop responding, leading to a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2014-3581)

Teguh P. Alko discovered that the mod_proxy_fcgi module incorrectly handled long response headers. A remote attacker could use this issue to cause the server to stop responding, leading to a denial of service. This issue only affected Ubuntu 14.10. (CVE-2014-3583)

It was discovered that the mod_lua module incorrectly handled different arguments within different contexts. A remote attacker could possibly use this issue to bypass intended access restrictions. This issue only affected Ubuntu 14.10. (CVE-2014-8109)

Guido Vranken discovered that the mod_lua module incorrectly handled a specially crafted websocket PING in certain circumstances. A remote attacker could possibly use this issue to cause the server to stop responding, leading to a denial of service. This issue only affected Ubuntu 14.10. (CVE-2015-0228).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Apache HTTP Server 2.4 installed on the remote host is 2.4.10 and is, therefore, affected by a denial of service. Specifically, the 'mod_proxy_fcgi' module allows a remote FastCGI server to cause a buffer overflow and crash the HTTP daemon.  This is caused by a flaw in the way that Apache HTTP Server handles long response headers.  An attacker, exploiting this flaw, would be able to cause a denial of service on the Apache HTTP Server.

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory. (CVE-2014-8109)

A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.
(CVE-2013-5704)

A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled.
(CVE-2014-3581)

The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers. (CVE-2014-3583)

According to its banner, the version of Apache 2.4.x running on the remote host is prior to 2.4.12. It is, therefore, affected by the following vulnerabilities :

  - A flaw exists in module mod_headers that can allow HTTP     trailers to replace HTTP headers late during request     processing, which a remote attacker can exploit to     inject arbitrary headers. This can also cause some     modules to function incorrectly or appear to function     incorrectly. (CVE-2013-5704)

  - A NULL pointer dereference flaw exists in module     mod_cache. A remote attacker, using an empty HTTP     Content-Type header, can exploit this vulnerability to     crash a caching forward proxy configuration, resulting     in a denial of service if using a threaded MPM.
    (CVE-2014-3581)

  - A out-of-bounds memory read flaw exists in module     mod_proxy_fcgi. An attacker, using a remote FastCGI     server to send long response headers, can exploit this     vulnerability to cause a denial of service by causing     a buffer over-read. (CVE-2014-3583)

  - A flaw exists in module mod_lua when handling a     LuaAuthzProvider used in multiple Require directives     with different arguments. An attacker can exploit this     vulnerability to bypass intended access restrictions.
    (CVE-2014-8109)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Apache HTTP SERVER PROJECT reports : mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with response headers' size above 8K.

mod_cache: Avoid a crash when Content-Type has an empty value. PR 56924.

mod_lua: Fix handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments. PR57204.

core: HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. Adds 'MergeTrailers' directive to restore legacy behavior.

ID	Name	Product	Family	Severity
98907	Apache 2.4.x < 2.4.12 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
96516	GLSA-201701-36 : Apache: Multiple vulnerabilities (httpoxy)	Nessus	Gentoo Local Security Checks	high
8981	Mac OS X < 10.10.5 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	high
86242	RHEL 6 : mod_proxy_fcgi (RHSA-2015:1855)	Nessus	Red Hat Local Security Checks	medium
86066	Mac OS X : OS X Server < 5.0.3 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
85409	Mac OS X Multiple Vulnerabilities (Security Update 2015-006)	Nessus	MacOS X Local Security Checks	high
85408	Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
82916	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : httpd (SSA:2015-111-03)	Nessus	Slackware Local Security Checks	medium
81837	Fedora 21 : httpd-2.4.10-15.fc21 (2014-17195)	Nessus	Fedora Local Security Checks	medium
81755	Ubuntu 14.04 LTS : Apache HTTP Server vulnerabilities (USN-2523-1)	Nessus	Ubuntu Local Security Checks	high
81581	Fedora 20 : httpd-2.4.10-2.fc20 (2014-17153)	Nessus	Fedora Local Security Checks	medium
8938	Apache HTTP Server 2.4.10 FastCGI DoS	Nessus Network Monitor	Web Servers	medium
81329	Amazon Linux AMI : httpd24 (ALAS-2015-483)	Nessus	Amazon Linux Local Security Checks	medium
81126	Apache 2.4.x < 2.4.12 Multiple Vulnerabilities	Nessus	Web Servers	medium
81116	FreeBSD : apache24 -- several vulnerabilities (5804b9d4-a959-11e4-9363-20cf30e32f6d)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2014-3583

high

Tenable Plugins

high

high

high

medium

critical

high

high

medium

medium

high

medium

medium

medium

medium

medium