The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2016-572:01 advisory.

    The Apache HTTP Server is a powerful, efficient, and extensible     web server.
    Security issues fixed with this release:
    CVE-2016-4979     The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and     mod_ssl are enabled, does not properly recognize the SSLVerifyClient     require directive for HTTP/2 request authorization, which allows     remote attackers to bypass intended access restrictions by leveraging     the ability to send multiple requests over a single connection and     aborting a renegotiation.
    CVE-2016-5387
    ** RESERVED **     This candidate has been reserved by an organization or individual that     will use it when announcing a new security problem.  When the     candidate has been publicized, the details for this candidate will be     provided.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2016-567:01 advisory.

    The Apache HTTP Server is a powerful, efficient, and extensible     web server.
    Security issues fixed with this release:
    CVE-2016-4979     The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and     mod_ssl are enabled, does not properly recognize the SSLVerifyClient     require directive for HTTP/2 request authorization, which allows     remote attackers to bypass intended access restrictions by leveraging     the ability to send multiple requests over a single connection and     aborting a renegotiation.
    CVE-2016-5387
    ** RESERVED **     This candidate has been reserved by an organization or individual that     will use it when announcing a new security problem.  When the     candidate has been publicized, the details for this candidate will be     provided.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of Apache running on the remote host is either 2.4.18 or 2.4.20. Additionally, HTTP/2 is enabled over TLS or SSL. It is, therefore, affected by the an authentication bypass vulnerability in the experimental module for the HTTP/2 protocol due to a failure to correctly validate X.509 certificates, allowing access to resources that otherwise would not be allowed. An unauthenticated, remote attacker can exploit this to disclose potentially sensitive information.

The remote host is affected by the vulnerability described in GLSA-201610-02 (Apache: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache HTTP Server.
      Please review the CVE identifiers referenced below for details.
  Impact :

    Remote attackers could bypass intended access restrictions, conduct HTTP       request smuggling attacks, or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Security fix for CVE-2016-4979

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Apache HTTP Server 2.4 installed on the remote host is prior to 2.4.23. It is, therefore, affected by the following vulnerabilities : 

 - A flaw exists within the 'read_request_line()' function located in 'server/protocol.c'. The issue is triggered when handling invalid 'CONNECT' requests with a custom status 'code 400 error' page using server side includes. With a specially crafted request, a remote attacker can cause a crash.
 - A flaw can be triggered when a stream's flow control windows are manipulated. This may allow an authenticated remote attacker to block server threads for an extended period of time, allowing them to exhaust worker threads and prevent the processing of streams. (CVE-2016-1546) - A flaw is triggered when an experimental module for the 'HTTP/2' protocol is used to access a resource. This may result in X.509 certificates not being properly validated, allowing an unauthorized user to disclose potentially sensitive information in resources that should require valid certificates. (CVE-2016-4979)

Apache Software Foundation reports :

The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509 client certificate correctly when experimental module for the HTTP/2 protocol is used to access a resource.

The net result is that a resource that should require a valid client certificate in order to get access can be accessed without that credential.

ID	Name	Product	Family	Severity
289757	MiracleLinux 7 : httpd24-httpd-2.4.18-11.el7 (AXSA:2016-572:01)	Nessus	Miracle Linux Local Security Checks	high
289476	MiracleLinux 4 : httpd24-httpd-2.4.18-11.AXS4 (AXSA:2016-567:01)	Nessus	Miracle Linux Local Security Checks	high
98909	Apache 2.4.18 / 2.4.20 X.509 Certificate Authentication Bypass	Web App Scanning	Component Vulnerability	high
93903	GLSA-201610-02 : Apache: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
92334	Fedora 23 : httpd (2016-e256a03791)	Nessus	Fedora Local Security Checks	high
9394	Apache HTTP Server 2.4.x < 2.4.23 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
92320	Apache 2.4.18 / 2.4.20 X.509 Certificate Authentication Bypass	Nessus	Web Servers	high
92289	Fedora 24 : httpd (2016-c7288a5b36)	Nessus	Fedora Local Security Checks	high
91949	FreeBSD : apache24 -- X509 Client certificate based authentication can be bypassed when HTTP/2 is used (e9d1e040-42c9-11e6-9608-20cf30e32f6d)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2016-4979

high

Tenable Plugins

high

high

high

high

high

medium

high

high

high