Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 5 Jul 2016 19:52:28 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Dirk-Willem van Gulik <dirkx@...che.org>
Subject: Fwd: CVE-2016-4979: HTTPD webserver - X509 Client certificate based authentication can be bypassed when HTTP/2 is used [vs]

This message also appeared on the distros list earlier today, hence the
mandatory forward to oss-security.  The Apache HTTP Server 2.4.23
release date in this advisory looks wrong to me - actually released
today (2016-07-05).

----- Forwarded message from Dirk-Willem van Gulik <dirkx@...che.org> -----

Date: Tue, 5 Jul 2016 15:24:31 +0200 (CEST)
From: Dirk-Willem van Gulik <dirkx@...che.org>
To: announce@...pd.apache.org
Subject: CVE-2016-4979: HTTPD webserver - X509 Client certificate based authentication can be bypassed when HTTP/2 is used [vs]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


          Security Advisory - Apache Software Foundation
                Apache HTTPD WebServer  / httpd.apache.org

	X509 Client certificate based authentication can
           be bypassed when HTTP/2 is used

                   CVE-2016-4979 / CVSS 7.5

The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509 
client certificate correctly when experimental module for the HTTP/2 
protocol is used to access a resource. 

The net result is that a resource that should require a valid client certificate
in order to get access can be accessed without that credential.

Background:
- -----------

Apache can control access to resources based on various things; such as 
a password, IP address and so on. One of the options, when SSL or TLS is
used, is gating access based on the client having access to a private-key of 
a X509 client certificate. These client certificates are typically held on
a chipcard (e.g. the CAC card in the US, national identity, banking cards
or, for example, medical-chip cards in Europe). In some cases they
are 'soft tokens' - i.e. files, often called PKCS#12 files, which are loaded
into the browser or the 'keychain'.

Gating access based on a client certificate is done by adding a line such as

	SSLVerifyClient require 

to the httpd configuration; along with a list of trusted client certificate
authorities (SSLCACertificateFile).

Version 2.4.17 of the Apache HTTP Server introduced an experimental feature:
mod_http2 for the HTTP/2 protocol (RFC7540, previous versions were known as 
Google SPDY).

This module is NOT compiled in by default -and- is not enabled by default, 
although some distribution may have chosen to do so.

It is generally needs to be enabled in the 'Protocols' line in httpd by 
adding 'h2' and/or 'h2c' to the 'http/1.1' only default. 

The default distributions of the Apache Software Foundation do not include 
this experimental feature. 

Details:
- --------

- From version 2.4.18, upto and including version 2.4.20 the server failed
to take the (failed/absent) client certificate validation into account
when providing access to a resource over HTTP/2. This issue has been fixed 
in version 2.4.23 (r1750779).

As a result - a resource thought to be secure and requiring a valid
client certificate - would be accessible without authentication 
provided that the mod_http2 was loaded, h2 or h2c activated, that
that the browser used the HTTP/2 protocol and it would do more than
one request over a given connection.

Impact:
- -------

A third party can gain access to resources on the web server without
the requisite credentials.

This can then lead to unauthorised disclosure of information.

Versions affected: 
- ------------------
All versions from  2.4.18 to  2.4.20. The issue is fixed in
version 2.4.23 (released 2015-6-5)

Resolution:
- -----------

Upgrade to version 2.4.23 or newer.

Mitigations and work arounds:
- -----------------------------

As a temporary workaround - HTTP/2 can be disabled by changing
the configuration by removing h2 and h2c from the Protocols
line(s) in the configuration file. 

The resulting line should read:

		Protocols http/1.1

Credits and timeline
- --------------------

The flaw was found and reported by Erki Aring <erki@...mple.ee> 
from Liewenthal Electronics Ltd on 2016-06-30. The issue was 
resolved by Stefan Eissing that same day and incorporated in 
the  release of 5th of July 2015 (thus avoiding a bank holiday).
 
Apache would like to thank all involved for their help with this.

Common Vulnerability Scoring (Version 3) and vector
- ---------------------------------------------------

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C

CVSS Base Score         7.5
CVSS Temporal Score     7.0 

1.05 / : 2339 $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4
Comment: This message is encrypted and/or signed with PGP (gnu-pg, gpg). Contact dirkx@...weaving.org if you cannot read it.

iEYEARECAAYFAld7tREACgkQ/W+IxiHQpxssBwCg2PU1xiye20scB23ZEAdhuEjA
JPoAmwUaZFh/tr2tR3opAVnFo+mSgMDi
=zNG2
-----END PGP SIGNATURE-----

----- End forwarded message -----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ