Amazon Linux AMI update for httpd24



Published: 2017-08-03
Risk Medium
Patch available YES
Number of vulnerabilities 6
CVE-ID CVE-2017-7668
CVE-2016-8743
CVE-2017-3167
CVE-2017-7679
CVE-2017-7659
CVE-2017-3169
CWE-ID CWE-125
CWE-20
CWE-592
CWE-476
Exploitation vector Network
Public exploit Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #6 is available.
Vulnerable software
Subscribe 		Amazon Linux AMI
Operating systems & Components / Operating system

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Out-of-bound read

EUVDB-ID: #VU7117

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7668

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing token lists within ap_find_token() function. A remote unauthenticated attacker can create a specially crafted sequence of HTTP headers and refer to data past the end of the search string. 

Successful exploitation of this vulnerability results segmentation fault and web server crash.

Mitigation

Update the affected packages.

i686:
    mod24_session-2.4.27-3.71.amzn1.i686
    mod24_proxy_html-2.4.27-3.71.amzn1.i686
    httpd24-devel-2.4.27-3.71.amzn1.i686
    httpd24-2.4.27-3.71.amzn1.i686
    httpd24-tools-2.4.27-3.71.amzn1.i686
    httpd24-debuginfo-2.4.27-3.71.amzn1.i686
    mod24_ssl-2.4.27-3.71.amzn1.i686
    mod24_ldap-2.4.27-3.71.amzn1.i686

noarch:
    httpd24-manual-2.4.27-3.71.amzn1.noarch

src:
    httpd24-2.4.27-3.71.amzn1.src

x86_64:
    mod24_ldap-2.4.27-3.71.amzn1.x86_64
    httpd24-tools-2.4.27-3.71.amzn1.x86_64
    mod24_proxy_html-2.4.27-3.71.amzn1.x86_64
    httpd24-2.4.27-3.71.amzn1.x86_64
    httpd24-debuginfo-2.4.27-3.71.amzn1.x86_64
    mod24_ssl-2.4.27-3.71.amzn1.x86_64
    mod24_session-2.4.27-3.71.amzn1.x86_64
    httpd24-devel-2.4.27-3.71.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2017-863.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Spoofing attack

EUVDB-ID: #VU1961

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-8743

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient sanitization of HTTP request, which contain whitespace characters. A remote attacker can send a specially crafted HTTP request, containing CR, FF, VTAB characters followed by CRLF sequence and inject arbitrary data in server response.

Successful exploitation of this vulnerability may result in content spoofing, web cache poisoning and XSS attacks.

Mitigation

Update the affected packages.

i686:
    mod24_session-2.4.27-3.71.amzn1.i686
    mod24_proxy_html-2.4.27-3.71.amzn1.i686
    httpd24-devel-2.4.27-3.71.amzn1.i686
    httpd24-2.4.27-3.71.amzn1.i686
    httpd24-tools-2.4.27-3.71.amzn1.i686
    httpd24-debuginfo-2.4.27-3.71.amzn1.i686
    mod24_ssl-2.4.27-3.71.amzn1.i686
    mod24_ldap-2.4.27-3.71.amzn1.i686

noarch:
    httpd24-manual-2.4.27-3.71.amzn1.noarch

src:
    httpd24-2.4.27-3.71.amzn1.src

x86_64:
    mod24_ldap-2.4.27-3.71.amzn1.x86_64
    httpd24-tools-2.4.27-3.71.amzn1.x86_64
    mod24_proxy_html-2.4.27-3.71.amzn1.x86_64
    httpd24-2.4.27-3.71.amzn1.x86_64
    httpd24-debuginfo-2.4.27-3.71.amzn1.x86_64
    mod24_ssl-2.4.27-3.71.amzn1.x86_64
    mod24_session-2.4.27-3.71.amzn1.x86_64
    httpd24-devel-2.4.27-3.71.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2017-863.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Authentication bypass

EUVDB-ID: #VU7115

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-3167

CWE-ID: CWE-592 - Authentication Bypass Issues

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to usage of the ap_get_basic_auth_pw() function by third-party modules outside of the authentication phase. A remote attacker can create a specially crafted HTTP request to vulnerable web server, bypass authentication requirements and gain unauthorized access to otherwise protected information.

Mitigation

Update the affected packages.

i686:
    mod24_session-2.4.27-3.71.amzn1.i686
    mod24_proxy_html-2.4.27-3.71.amzn1.i686
    httpd24-devel-2.4.27-3.71.amzn1.i686
    httpd24-2.4.27-3.71.amzn1.i686
    httpd24-tools-2.4.27-3.71.amzn1.i686
    httpd24-debuginfo-2.4.27-3.71.amzn1.i686
    mod24_ssl-2.4.27-3.71.amzn1.i686
    mod24_ldap-2.4.27-3.71.amzn1.i686

noarch:
    httpd24-manual-2.4.27-3.71.amzn1.noarch

src:
    httpd24-2.4.27-3.71.amzn1.src

x86_64:
    mod24_ldap-2.4.27-3.71.amzn1.x86_64
    httpd24-tools-2.4.27-3.71.amzn1.x86_64
    mod24_proxy_html-2.4.27-3.71.amzn1.x86_64
    httpd24-2.4.27-3.71.amzn1.x86_64
    httpd24-debuginfo-2.4.27-3.71.amzn1.x86_64
    mod24_ssl-2.4.27-3.71.amzn1.x86_64
    mod24_session-2.4.27-3.71.amzn1.x86_64
    httpd24-devel-2.4.27-3.71.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2017-863.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Out-of-bounds read

EUVDB-ID: #VU7119

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-7679

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to out-of-bounds read within the mod_mime when constructing Content-Type response header. A remote attacker read one byte pas the end of a buffer when sending a malicious Content-Type response header.

Mitigation

Update the affected packages.

i686:
    mod24_session-2.4.27-3.71.amzn1.i686
    mod24_proxy_html-2.4.27-3.71.amzn1.i686
    httpd24-devel-2.4.27-3.71.amzn1.i686
    httpd24-2.4.27-3.71.amzn1.i686
    httpd24-tools-2.4.27-3.71.amzn1.i686
    httpd24-debuginfo-2.4.27-3.71.amzn1.i686
    mod24_ssl-2.4.27-3.71.amzn1.i686
    mod24_ldap-2.4.27-3.71.amzn1.i686

noarch:
    httpd24-manual-2.4.27-3.71.amzn1.noarch

src:
    httpd24-2.4.27-3.71.amzn1.src

x86_64:
    mod24_ldap-2.4.27-3.71.amzn1.x86_64
    httpd24-tools-2.4.27-3.71.amzn1.x86_64
    mod24_proxy_html-2.4.27-3.71.amzn1.x86_64
    httpd24-2.4.27-3.71.amzn1.x86_64
    httpd24-debuginfo-2.4.27-3.71.amzn1.x86_64
    mod24_ssl-2.4.27-3.71.amzn1.x86_64
    mod24_session-2.4.27-3.71.amzn1.x86_64
    httpd24-devel-2.4.27-3.71.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2017-863.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) NULL pointer dereference

EUVDB-ID: #VU7118

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7659

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to a NULL pointer dereference error within mod_http2. A remote attacker can send a specially crafted HTTP/2 request and crash the affected process.

Successful exploitation of the vulnerability result in denial of service (DoS) attack.

Mitigation

Update the affected packages.

i686:
    mod24_session-2.4.27-3.71.amzn1.i686
    mod24_proxy_html-2.4.27-3.71.amzn1.i686
    httpd24-devel-2.4.27-3.71.amzn1.i686
    httpd24-2.4.27-3.71.amzn1.i686
    httpd24-tools-2.4.27-3.71.amzn1.i686
    httpd24-debuginfo-2.4.27-3.71.amzn1.i686
    mod24_ssl-2.4.27-3.71.amzn1.i686
    mod24_ldap-2.4.27-3.71.amzn1.i686

noarch:
    httpd24-manual-2.4.27-3.71.amzn1.noarch

src:
    httpd24-2.4.27-3.71.amzn1.src

x86_64:
    mod24_ldap-2.4.27-3.71.amzn1.x86_64
    httpd24-tools-2.4.27-3.71.amzn1.x86_64
    mod24_proxy_html-2.4.27-3.71.amzn1.x86_64
    httpd24-2.4.27-3.71.amzn1.x86_64
    httpd24-debuginfo-2.4.27-3.71.amzn1.x86_64
    mod24_ssl-2.4.27-3.71.amzn1.x86_64
    mod24_session-2.4.27-3.71.amzn1.x86_64
    httpd24-devel-2.4.27-3.71.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2017-863.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) NULL pointer dereference

EUVDB-ID: #VU7116

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-3169

CWE-ID: CWE-592 - Authentication Bypass Issues

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to a NULL pointer dereference error within mod_ssl module, when third-party modules call ap_hook_process_connection() function during an HTTP request to an HTTPS port. A remote attacker can send a specially crafted HTTP request and crash the affected web server.

Mitigation

Update the affected packages.

i686:
    mod24_session-2.4.27-3.71.amzn1.i686
    mod24_proxy_html-2.4.27-3.71.amzn1.i686
    httpd24-devel-2.4.27-3.71.amzn1.i686
    httpd24-2.4.27-3.71.amzn1.i686
    httpd24-tools-2.4.27-3.71.amzn1.i686
    httpd24-debuginfo-2.4.27-3.71.amzn1.i686
    mod24_ssl-2.4.27-3.71.amzn1.i686
    mod24_ldap-2.4.27-3.71.amzn1.i686

noarch:
    httpd24-manual-2.4.27-3.71.amzn1.noarch

src:
    httpd24-2.4.27-3.71.amzn1.src

x86_64:
    mod24_ldap-2.4.27-3.71.amzn1.x86_64
    httpd24-tools-2.4.27-3.71.amzn1.x86_64
    mod24_proxy_html-2.4.27-3.71.amzn1.x86_64
    httpd24-2.4.27-3.71.amzn1.x86_64
    httpd24-debuginfo-2.4.27-3.71.amzn1.x86_64
    mod24_ssl-2.4.27-3.71.amzn1.x86_64
    mod24_session-2.4.27-3.71.amzn1.x86_64
    httpd24-devel-2.4.27-3.71.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2017-863.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###