Apache 2.4.18 / 2.4.20 X.509 Certificate Authentication Bypass

high Nessus Plugin ID 92320

Synopsis

The remote web server is affected by an authentication bypass vulnerability.

Description

According to its banner, the version of Apache running on the remote host is either 2.4.18 or 2.4.20. Additionally, HTTP/2 is enabled over TLS or SSL. It is, therefore, affected by the an authentication bypass vulnerability in the experimental module for the HTTP/2 protocol due to a failure to correctly validate X.509 certificates, allowing access to resources that otherwise would not be allowed. An unauthenticated, remote attacker can exploit this to disclose potentially sensitive information.

Solution

Upgrade to Apache version 2.4.23 or later. Alternatively, as a temporary workaround, HTTP/2 can be disabled by changing the configuration by removing 'h2' and 'h2c' from the Protocols line(s) in the configuration file.

See Also

https://archive.apache.org/dist/httpd/CHANGES_2.4.23

https://httpd.apache.org/security/vulnerabilities_24.html

https://seclists.org/fulldisclosure/2016/Jul/11

Plugin Details

Severity: High

ID: 92320

File Name: apache_2_4_23.nasl

Version: 1.13

Type: combined

Agent: windows, macosx, unix

Family: Web Servers

Published: 7/15/2016

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2016-4979

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:http_server

Required KB Items: installed_sw/Apache

Exploit Ease: No known exploits are available

Patch Publication Date: 7/5/2016

Vulnerability Publication Date: 7/5/2016

Reference Information

CVE: CVE-2016-4979

BID: 91566