Update for Apache 2.2 web server closes various security holes
Version 2.2.15 of the Apache Software Foundation's HTTP server fixes numerous bugs and closes three security holes. The new version also allows users to re-enable insecure TLS renegotiation for clients that do not support the new "Renegotiation Indication Extension" (RFC5746) yet.
The IETF has extended the TLS protocol (RFC 5246) to include the renegotiation_info TLS extension. This extension stores a connection's crypto information which allows client requests made before a TLS renegotiation to be authenticated and conclusively matched with their respective counterparts after the renegotiation. Already implemented in version 0.9.8m of OpenSSL, which was released at the end of February, the TLS Renegotiation Indication Extension prevents attackers from injecting arbitrary packets into secure SSL connections and, for instance, compromise web applications. Previous solutions involved completely disabling TLS renegotiation. Reactivating insecure renegotiation via SSLInsecureRenegotiation does require the Apache web server to be compiled against OpenSSL 0.9.8m.
The security holes are caused by problems with the mod_proxy_ajp module and the Multi-Processing Module (MPM) that allow specially crafted packets to briefly disrupt the server or client requests to be processed by the wrong thread.
A critical hole in the mod_isapi module for the Windows version of Apache deserves particular attention. The Internet Server API (ISAPI) is one of Microsoft's programming interfaces, and the module enables the Apache web server to load, for example, IIS applications. According to the relevant advisory, specially crafted server requests can cause a module to be unloaded from memory before a request is completed. This may lead to dangling pointers being left in memory that can be exploited to remotely start a previously injected program at system privilege level.
Security firm Sense of Security has released an exploit which creates a sos.txt file under Windows; furthermore, a video (MP4) demonstrates how the flaw can be exploited to bind a shell to TCP port 4444. Administrators should install the new version of Apache as soon as possible.
- Apache 2.2.14 mod_isapi Dangling Pointer, advisory from Sense of Security.
- Solution for SSL/TLS design weakness in sight, a report from The H.
- Password theft via vulnerability in SSL/TLS protocol, a report from The H.
- Vulnerability in SSL/TLS protocol, a report from The H.