Three New Vulnerabilities Affecting Apache Web Servers
Threat Level Description
Threat Level: High - An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.
We have observed that 3 new vulnerabilities, affecting the Apache Web Servers, have been identified.
These vulnerabilities, tracked as CVE-2020-9490, CVE-2020-11984, CVE-2020-11993, could lead to the execution of arbitrary code and denial of service attacks.
The first flaw is a remote code execution vulnerability due to a buffer overflow in the “mod_uwsgi” module (CVE-2020-11984). This issue could allow an attacker to view, change, or delete sensitive data, depending on the privileges associated with an application running on the server.
The second vulnerability concerns a flaw that is triggered when debugging is enabled in the “mod_http2” module (CVE-2020-11993). It causes logging statements to be made on the wrong connection, resulting in memory corruption due to the concurrent log pool usage.
The third flaw (CVE-2020-9490), also resides in the HTTP/2 module, and uses a specially crafted “Cache-Digest” header to cause a memory corruption that could lead to denial of service.
“Cache Digest” is part of a now-abandoned web optimization feature that aims to address an issue with server “pushes”. “Cache Digest” allows a server to preemptively send responses to a client ahead of time by allowing the clients to inform the server of their freshly cached contents. Thus, the bandwidth is not wasted in sending resources that are already in the client’s cache.
When a specially crafted value is injected into the ‘Cache-Digest’ header, in an HTTP/2 request, it would cause a crash when the server sends a PUSH packet.
BASE SCORE: 5 Medium
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
BASE SCORE: 4.3 Medium
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
BASE SCORE: 7.5 High
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
Apache HTTP server versions 2.4.32 to 2.4.44 (CVE-2020-11984)Apache HTTP Server versions 2.4.20 to 2.4.43 (CVE-2020-11993)Apache HTTP Server versions 2.4.20 to 2.4.43 (CVE-2020-9490)
You should immediately proceed and upgrade to the latest version of Apache Web Server software.
Note that the third vulnerability (CVE-2020-9490), can be resolved by turning the “HTTP/2 server push” feature off, on unpatched servers.
You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.