Apache HTTP Server chunked encoding heap buffer overflow

apache-chunked-encoding-bo (9249)

High Risk

Description:

Apache HTTP Server is vulnerable to a heap buffer overflow in the mechanism that calculates the size of "chunked" encoding. Chunked encoding is a process by which a client generates a variable sized "chunk" of data and notifies the Web server of the data's size before transferring it, so that the Web server can allocate a buffer of the correct size. The Apache HTTP Server has a software flaw that misinterprets the size of incoming data chunks. A remote attacker can use this vulnerability to overflow a buffer and execute arbitrary code or cause a denial of service against the affected Web server.

Consequences:

Gain Access

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
ApacheChunkedEncodingBo
apache-chunked-encoding-bo

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
HTTP_Apache_Chunked_BO
HTTP_Apache_Chunked_DoS

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 80

For Manual Protection:

For Apache HTTP Server 1.x:
Upgrade to the latest version of Apache HTTP Server (1.3.25 or later), available from Apache Software Foundation download site. See References.

For Apache HTTP Server 2.x:
Upgrade to the latest version of Apache HTTP Server (2.0.39 or later), available from Apache Software Foundation download site. See References.

For Debian GNU/Linux 2.2 (potato):
Upgrade to the latest version of the apache package (1.3.9-14.1 or later), as listed in DSA-131-1. See References.

For Engarde Secure Linux: Community Edition:
Upgrade to the latest apache package (1.3.26-1.0.30 or later), as listed in Engarde Secure Linux Security Advisory ESA-20020619-014. See References.

For Conectiva Linux 6.0, 7.0 and 8.0:
Upgrade to the latest apache package (1.3.26-1U60_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:498. See References.

For Caldera OpenLinux Server and Workstation 3.1 and 3.1.1:
Upgrade to the latest apache package (1.3.22-6 or later), as listed in Caldera Systems, Inc. Security Advisory CSSA-2002-029.0. See References.

For Mandrake Linux 7.1, 7.2, 8.0, 8.1, and Corporate Server 1.0.1:
Upgrade to the latest apache package (1.3.22-10.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:039-2 : apache. See References.

For Mandrake Linux 8.2:
Upgrade to the latest apache package (1.3.23-4.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:039-2 : apache. See References.

For Mandrake Single Network Firewall 7.2:
Upgrade to the latest apache package (1.3.20-5.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:039-2 : apache. See References.

For Red Hat Linux 6.2:
Upgrade to the latest apache package (1.3.22-5.6 or later), as listed in RHSA-2002:103-13. See References.

For Red Hat Linux 7.0 and 7.1:
Upgrade to the latest apache package (1.3.22-5.7.1 or later), as listed in RHSA-2002:103-13. See References.

For Red Hat Linux 7.2:
Upgrade to the latest apache package (1.3.22-6 or later), as listed in RHSA-2002:103-13. See References.

For Red Hat Linux 7.3:
Upgrade to the latest apache package (1.3.23-14 or later), as listed in RHSA-2002:103-13. See References.

For Red Hat Stronghold Errata:
Apply the appropriate patch for your system, as listed in RHSA-2002:118-06. See References.

For Red Hat Secure Web Server 3.2:
Apply the appropriate update for your system, as listed in RHSA-2002:117-11. See References.

For SuSE Linux 6.4, 7.0, and 7.1 (Intel):
Uprade to the latest apache package (1.3.19-115 or later), as listed in SuSE Security Announcement SuSE-SA:2002:022. See References.

For SuSE Linux 7.2 (Intel):
Uprade to the latest apache package (1.3.19-116 or later), as listed in SuSE Security Announcement SuSE-SA:2002:022. See References.

For SuSE Linux 7.3 (Intel):
Uprade to the latest apache package (1.3.20-66 or later), as listed in SuSE Security Announcement SuSE-SA:2002:022. See References.

For SuSE Linux 8.0 (Intel):
Uprade to the latest apache package (1.3.23-120 or later), as listed in SuSE Security Announcement SuSE-SA:2002:022. See References.

For SuSE Linux 6.4, 7.0, and 7.1 (Power PC):
Uprade to the latest apache package (1.3.19-56 or later), as listed in SuSE Security Announcement SuSE-SA:2002:022. See References.

For SuSE Linux 7.3 (Power PC):
Uprade to the latest apache package (1.3.20-52 or later), as listed in SuSE Security Announcement SuSE-SA:2002:022. See References.

For Trustix Secure Linux 1.01, 1.1, 1.2 and 1.5:
Uprade to the latest apache package (1.3.26-1tr or later), as listed in Trustix Secure Linux Security Advisory #2002-0056. See References.

For Caldera OpenServer 5.0.5 and 5.0.6:
Upgrade to the latest Apache packages, as listed in Caldera International, Inc. Security Advisory CSSA-2002-SCO.32. See References.

For Caldera UnixWare 7.1.1 and OpenUnix 8.0.0:
Upgrade to the latest Apache packages, as listed in Caldera International, Inc. Security Advisory CSSA-2002-SCO.31. See References.

For Slackware Linux:
Upgrade to the latest Apache, mod_ssl or openssh packages, as listed below. Refer to slackware-security Mailing List, Wed, Jun, 26 12:03:06 PDT 2002. See References.

Slackware Linux 8.0 and 8.1: apache-1.3.26 or later, mod_ssl-2.8.9_1.3 or later, or openssh-3.4p1or later

Slackware Linux 7.1: openssh-3.4p1 or later

For HP OpenView Operations:
Refer to HP Security Bulletin HPSBMA02149 SSRT050968 rev.1 for patch, upgrade, or suggested workaround information.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• Apache HTTP Server Project Web site: Apache HTTPD Project - The Apache HTTPD Server Project.
• Apache Security Bulletin June 17, 2002: Apache Web Server.
• Apache Security Bulletin June 20, 2002: Apache Web Server.
• BugTraq Mailing List, Wed Sep 13 2006 - 12:16:43 CDT : [security bulletin] HPSBMA02149 SSRT050968 rev.1 - HP OpenView Operations, Remote Unauthorized Access and Denial of Service (DoS).
• Caldera International, Inc. Security Advisory CSSA-2002-029.0: Apache Web Server Chunk Handling Vulnerability.
• Caldera International, Inc. Security Advisory CSSA-2002-SCO.31: UnixWare 7.1.1 Open UNIX 8.0.0 : Apache Web Server Chunk Handling Vulnerability / mod_ssl off-by-one error.
• Caldera International, Inc. Security Advisory CSSA-2002-SCO.32: OpenServer 5.0.5 OpenServer 5.0.6 : Apache Web Server Chunk Handling Vulnerability / mod_ssl off-by-one error.
• CERT Advisory CA-2002-17: Apache Web Server Chunk Handling Vulnerability.
• CIAC Information Bulletin M-093: Apache HTTP Server Chunk Encoding Vulnerability.
• Conectiva Linux Announcement CLSA-2002:498: Chunk transfer encoding vulnerability.
• EnGarde Secure Linux Security Advisory ESA-20020619-014: chunk handling overflow vulnerability.
• Internet Security Systems Security Advisory, June 17, 2002: Remote Compromise Vulnerability in Apache HTTP Server.
• Internet Security Systems Security Alert, June 19, 2002: Apache HTTP Server Exploit in Circulation.
• National Infrastructure Protection Center Advisory 02-005.1: Remote Vulnerabilities in Apache Web Server Software.
• National Infrastructure Protection Center Advisory 02-005.1: Remote Vulnerabilities in the Apache Web Server Software.
• Oracle Security Alert #36: Security Vulnerability for Apache HTTP Server of Oracle9iAS.
• SGI Security Advisory 20020605-01-A: Apache Web Server Chunk Handling vulnerability.
• slackware-security Mailing List, Wed, Jun, 26 12:03:06 PDT 2002: [slackware-security] New OpenSSH packages available.
• Trustix Secure Linux Security Advisory #2002-0056: apache.
• BID-20005: HP OpenView Operations Denial of Service and Unauthorized Access Vulnerability
• BID-5033: Apache Chunked-Encoding Memory Corruption Vulnerability
• CVE-2002-0392: Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size.
• DSA-131: apache -- remote DoS / exploit
• DSA-132: apache-ssl -- remote DoS / exploit
• DSA-133: apache-perl -- remote DoS / exploit
• MDKSA-2002:039: Updated apache packages fix DoS vulnerability
• MDKSA-2002:039-1: Updated apache packages fix DoS vulnerability
• MDKSA-2002:039-2: Updated apache packages fix remotely exploitable conditions
• OpenPKG-SA-2002.004: Apache
• OSVDB ID: 838: Apache HTTP Server Chunked Encoding Overflow
• RHSA-2002-103: Updated Apache packages fix chunked encoding issue
• RHSA-2002-126: apache security update
• RHSA-2002-150: apache security update for Stronghold
• RHSA-2003-106: Updated apache and mod_ssl packages available
• SA21917: HP OpenView Operations Apache Chunked Encoding Vulnerability
• US-CERT VU#944335: Apache web servers fail to handle chunks with a negative size
• VUPEN/ADV-2006-3598: HP OpenView Operations Remote Unauthorized Access and DoS Vulnerability

Platforms Affected:

• Apache HTTP Server 1.0
• Apache HTTP Server 1.0.2
• Apache HTTP Server 1.0.3
• Apache HTTP Server 1.0.5
• Apache HTTP Server 1.1
• Apache HTTP Server 1.1.1
• Apache HTTP Server 1.2
• Apache HTTP Server 1.2.5
• Apache HTTP Server 1.3
• Apache HTTP Server 1.3.1
• Apache HTTP Server 1.3.11
• Apache HTTP Server 1.3.12
• Apache HTTP Server 1.3.13
• Apache HTTP Server 1.3.14
• Apache HTTP Server 1.3.15
• Apache HTTP Server 1.3.16
• Apache HTTP Server 1.3.17
• Apache HTTP Server 1.3.18
• Apache HTTP Server 1.3.19
• Apache HTTP Server 1.3.20
• Apache HTTP Server 1.3.22
• Apache HTTP Server 1.3.23
• Apache HTTP Server 1.3.24
• Apache HTTP Server 1.3.3
• Apache HTTP Server 1.3.4
• Apache HTTP Server 1.3.9
• Apache HTTP Server 2.0
• Apache HTTP Server 2.0.28
• Apache HTTP Server 2.0.32
• Apache HTTP Server 2.0.35
• Apache HTTP Server 2.0.36
• Conectiva Linux 6.0
• Conectiva Linux 7.0
• Conectiva Linux 8.0
• Debian Debian Linux 2.2
• EngardeLinux Secure Linux
• HP HP-UX B.11.00
• HP HP-UX B.11.11
• HP OpenView Operations 7.1
• HP OpenView Operations 8.0
• HP OpenView Operations 8.1
• HP OpenView Operations A.07.00
• HP OpenView Operations A.07.10
• HP OpenView Operations A.07.20
• HP OpenView Operations A.07.21
• MandrakeSoft Mandrake Linux 7.1
• MandrakeSoft Mandrake Linux 7.2
• MandrakeSoft Mandrake Linux 8.0
• MandrakeSoft Mandrake Linux 8.0 PPC
• MandrakeSoft Mandrake Linux 8.1
• MandrakeSoft Mandrake Linux 8.1 IA64
• MandrakeSoft Mandrake Linux 8.2 PPC
• MandrakeSoft Mandrake Linux 8.2
• MandrakeSoft Mandrake Linux Corporate Server 1.0.1
• MandrakeSoft Mandrake Single Network Firewall 7.2
• OpenBSD OpenBSD
• Oracle Application Server
• RedHat Enterprise Linux 2.1 AS
• RedHat Linux 6.2
• RedHat Linux 7
• RedHat Linux 7.1
• RedHat Linux 7.1 for iSeries
• RedHat Linux 7.1 for pSeries
• RedHat Linux 7.2
• RedHat Linux 7.3
• RedHat Secure Web Server 3.2
• RedHat Stronghold
• SCO Caldera OpenLinux Server 3.1
• SCO Caldera OpenLinux Server 3.1.1
• SCO Caldera OpenLinux Workstation 3.1
• SCO Caldera OpenLinux Workstation 3.1.1
• SCO Caldera OpenServer 5.0.5
• SCO Caldera OpenServer 5.0.6
• SCO Caldera OpenUnix 8.0.0
• SCO Caldera UnixWare 7.1.1
• Slackware Slackware Linux 7.1
• Slackware Slackware Linux 8.0
• Slackware Slackware Linux 8.1
• SUSE SuSE Linux 6.4
• SUSE SuSE Linux 7.0
• SUSE SuSE Linux 7.1
• SUSE SuSE Linux 7.2
• SUSE SuSE Linux 7.3
• SUSE SuSE Linux 8.0
• Trustix Secure Linux 1.01
• Trustix Secure Linux 1.1
• Trustix Secure Linux 1.2
• Trustix Secure Linux 1.5

Reported:

Jun 17, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page