The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache httpd: denial of service via scoreboard

Synthesis of the vulnerability 

An attacker, who runs code in an Apache httpd child process, can change a value of the scoreboard, in order to force the parent process, which runs as root, to free an invalid memory area, when the service stops, which may lead to code execution with root privileges.
Vulnerable systems: Apache httpd, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, HP-UX, Mandriva Linux, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity of this threat: 1/4.
Creation date: 16/01/2012.
Références of this weakness: BID-51407, c03231301, c03278391, CERTA-2012-AVI-026, CERTA-2012-AVI-225, CVE-2012-0031, DSA-2405-1, FEDORA-2012-1598, FEDORA-2012-1642, HPSBMU02748, HPSBUX02761, MDVSA-2012:012, openSUSE-SU-2012:0314-1, RHSA-2012:0128-01, RHSA-2012:0323-01, RHSA-2012:0542-01, RHSA-2012:0543-01, SOL15889, SSA:2012-041-01, SSRT100772, SSRT100823, SUSE-SU-2012:0284-1, SUSE-SU-2012:0323-1, VIGILANCE-VUL-11282.

Description of the vulnerability 

The Apache httpd service is composed of:
 - a parent process, which runs with root privileges
 - child processes, which process HTTP queries, and which run with www-data rights by default

The "scoreboard" is an information area shared between processes. The "sb_type" field of the scoreboard indicates the allocation mode (SB_NOT_SHARED via malloc and SB_SHARED via mmap) depending on the MPM (Multi-Processing Module).

When the parent process stops (when the service stops), it frees the memory area used by the scoreboard, if the sb_type value is not SB_SHARED.

An attacker, who runs code in an Apache httpd child process, can therefore change a value of the scoreboard, in order to force the parent process, which runs as root, to free via free() a memory area allocated via mmap(), when the service stops, which may lead to code execution with root privileges.

It can be noted that in order to exploit this vulnerability, the attacker has to execute code in a child process, and has to wait for the administrator to stop or restart the service. Moreover, the standard glibc detects the memory corruption and block the attack.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security alert impacts software or systems such as Apache httpd, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, HP-UX, Mandriva Linux, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this security weakness is low.

The trust level is of type confirmed by the editor, with an origin of user account.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this security announce.

Solutions for this threat 

Apache httpd: version 2.2.22.
The version 2.2.22 is corrected:
  http://httpd.apache.org/download.cgi

Apache HTTP Server: version 2.0.65.
The version 2.0.65 is fixed:
  http://httpd.apache.org/download.cgi#apache20

Apache httpd: patch for scoreboard.
A patch is available in information sources.

Debian: new apache2 packages.
New packages are available:
  apache2 2.2.9-10+lenny12
  apache2 2.2.16-6+squeeze6

F5 BIG-IP: solution for Apache.
The solution is indicated in information sources.

Fedora: new httpd packages.
New packages are available:
  httpd-2.2.22-1.fc15
  httpd-2.2.22-1.fc16

HP OV NNM: hotfix SSRT100772.
Hotfix SSRT100772 is available.

HP-UX: Apache Web Server versions 2.35 and 3.23.
Versions 2.35 and 3.23 are corrected:
  HP-UX B.11.11 :
    https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW235
    revision B.2.0.64.03
  HP-UX B.11.23, B.11.31 :
    https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW323
    revision B.2.2.15.12

Mandriva: new apache packages.
New packages are available:
  apache-2.2.22-0.1mdv2010.2
  apache-2.2.22-0.1-mdv2011.0
  apache-2.2.22-0.1mdvmes5.2

RHEL 5: new httpd packages.
New packages are available:
  httpd-2.2.3-63.el5_8.1

RHEL 6.2: new httpd packages.
New packages are available:
  httpd-2.2.15-15.el6_2.1

RHEL: new JBoss Enterprise Web Server packages.
New packages are available:
  httpd-2.2.17-15.4.ep5.el5
  httpd-2.2.17-15.4.ep5.el6
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2

Slackware: new httpd packages.
New packages are available:
  httpd-2.2.22-i486-1_slack12.0
  httpd-2.2.22-i486-1_slack12.1
  httpd-2.2.22-i486-1_slack13.0
  httpd-2.2.22-i486-1_slack13.1
  httpd-2.2.22-i486-1_slack13.37

Solaris 10: patch for Apache HTTP Server 2.
A patch is available:
  Solaris 10 :
    SPARC: 120543-28
    X86: 120544-28

Solaris 11: patch 11/11 SRU 6.6.
A patch is available:
  11/11 SRU 6.6 :
  https://support.oracle.com/CSP/main/article?type=NOT&id=1448432.1

SUSE: new apache2 packages.
New packages are available:
  openSUSE 11.4 : apache2-2.2.17-4.13.1
  SUSE LE 10 : apache2-2.2.3-16.44.1
  SUSE LE 11 : apache2-2.2.12-1.30.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerabilities database. The Vigil@nce vulnerability database contains several thousand vulnerabilities.