The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache httpd: buffer overflow via ap_pregsub

Synthesis of the vulnerability 

An attacker can create an overflow in the ap_pregsub() function, in order to create a denial of service, or to execute code.
Impacted products: Apache httpd, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, HP-UX, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity of this bulletin: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/11/2011.
Références of this threat: BID-50494, BID-50639, c03231301, c03278391, CERTA-2012-AVI-225, CVE-2011-3607, CVE-2011-4415, DSA-2405-1, FEDORA-2012-1598, FEDORA-2012-1642, HPSBMU02748, HPSBUX02761, MDVSA-2012:003, openSUSE-SU-2012:0212-1, openSUSE-SU-2012:0248-1, RHSA-2012:0128-01, RHSA-2012:0323-01, RHSA-2012:0542-01, RHSA-2012:0543-01, SOL16907, SSA:2012-041-01, SSRT100772, SSRT100823, SUSE-SU-2011:1309-1, SUSE-SU-2011:1322-1, VIGILANCE-VUL-11121.

Description of the vulnerability 

The ap_pregsub() function of file server/util.c is used to replace fragments of a string split with regular expressions.

However, this function does not check if the size after substitution overflowed. Data are thus copied in a short memory area.

This function is not directly reachable via a GET query. However, the mod_env module provides the SetEnvIf directive, which calls ap_pregsub(). In order to setup the attack, the attacker has to set malicious SetEnvIf directives in a .htaccess file.

An attacker can therefore create an overflow in the ap_pregsub() function, in order to create a denial of service, or to execute code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness note impacts software or systems such as Apache httpd, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, HP-UX, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this security bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of user account.

This bulletin is about 2 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this weakness announce.

Solutions for this threat 

Apache httpd: version 2.2.22.
The version 2.2.22 is corrected:
  http://httpd.apache.org/download.cgi

Apache HTTP Server: version 2.0.65.
The version 2.0.65 is fixed:
  http://httpd.apache.org/download.cgi#apache20

Apache httpd: workaround for ap_pregsub.
A workaround is to:
 - disable the mod_env module, which is an attack vector
 - forbid users from creating .htaccess files
 - use AllowOverride None

Debian: new apache2 packages.
New packages are available:
  apache2 2.2.9-10+lenny12
  apache2 2.2.16-6+squeeze6

F5 BIG-IP: fixed versions for Apache HTTPD.
Fixed versions are indicated in information sources.

Fedora: new httpd packages.
New packages are available:
  httpd-2.2.22-1.fc15
  httpd-2.2.22-1.fc16

HP OV NNM: hotfix SSRT100772.
Hotfix SSRT100772 is available.

HP-UX: Apache Web Server versions 2.35 and 3.23.
Versions 2.35 and 3.23 are corrected:
  HP-UX B.11.11 :
    https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW235
    revision B.2.0.64.03
  HP-UX B.11.23, B.11.31 :
    https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW323
    revision B.2.2.15.12

Mandriva: new apache packages.
New packages are available:
  apache-2.2.15-3.6mdv2010.2
  apache-2.2.21-0.4-mdv2011.0
  apache-2.2.9-12.15mdvmes5.2

openSUSE: new apache2 packages.
New packages are available:
  openSUSE 11.3 : apache2-2.2.15-4.9.1
  openSUSE 11.4 : apache2-2.2.17-4.11.1

RHEL 5: new httpd packages.
New packages are available:
  httpd-2.2.3-63.el5_8.1

RHEL 6.2: new httpd packages.
New packages are available:
  httpd-2.2.15-15.el6_2.1

RHEL: new JBoss Enterprise Web Server packages.
New packages are available:
  httpd-2.2.17-15.4.ep5.el5
  httpd-2.2.17-15.4.ep5.el6
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2

Slackware: new httpd packages.
New packages are available:
  httpd-2.2.22-i486-1_slack12.0
  httpd-2.2.22-i486-1_slack12.1
  httpd-2.2.22-i486-1_slack13.0
  httpd-2.2.22-i486-1_slack13.1
  httpd-2.2.22-i486-1_slack13.37

Solaris 10: patch for Apache HTTP Server 2.
A patch is available:
  Solaris 10 :
    SPARC: 120543-28
    X86: 120544-28

Solaris 11: patch 11/11 SRU 6.6.
A patch is available:
  11/11 SRU 6.6 :
  https://support.oracle.com/CSP/main/article?type=NOT&id=1448432.1

Solaris 8, 9, 10: patch for Apache HTTP Server.
A patch is available:
  Solaris 8 :
    SPARC: 116973-10
    X86: 116974-10
  Solaris 9 :
    SPARC: 113146-16
    X86: 114145-15
  Solaris 10 :
    SPARC: 122911-32
    X86: 122912-32

SUSE LE 10 SP4: new apache2 packages.
New packages are available:
  apache2-2.2.3-16.42.2

SUSE LE 11: new apache2 packages.
New packages are available:
  apache2-2.2.12-1.28.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerabilities alert. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.