Certain Apache server configurations can leak server memory content via a vulnerability called Optionsbleed — tracked as CVE-2017-9798 — and detailed on Monday by security researcher Hanno Böck.
The vulnerability is similar to Heartbleed, in the way that attackers can query servers and trick Apache in responding with more data than it intended.
Böck says Optionsbleed is not as severe as Heartbleed because it leaks content processed by the Apache web server process only and not memory content from the underlying machine, including other applications. This means the leaked data is limited to whatever Apache is processing, which is mostly the content of web pages.
Nonetheless, the danger remains, as Optionsbleed could leak content from pages that are only available to authenticated users.
How Optionsbleed works
To understand how Optionsbleed affects servers, you need to know how web servers work. Whenever a client — such as a web browser — makes a request to a server, it usually makes a GET or POST request that retrieves content from the server — a web page or a downloadable file.
Apache servers support many other requests — technically named "methods" — such as PUT, PATCH, HEAD, and more. These methods have been added to Apache releases across time, and are not supported by all servers. In addition, server admins also block access to some of the methods.
To avoid making server requests that go into a black hole, Apache servers support the OPTIONS method. A client can query the server with an OPTIONS request and the server replies with what methods it is allowed to answer.
Casual experiment reveals Optionsbleed vulnerability
Recently, Böck carried out a test to see what kind of OPTIONS servers belonging to sites in the Alexa Top 1 Million support. His scan revealed that 466 hosts responded back with garbled replies that looked similar to this:
Allow: ,GET,,,POST,OPTIONS,HEAD,,
Allow: POST,OPTIONS,,HEAD,:09:44 GMT
Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
Allow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE
Besides the standard "Allow" responses an OPTIONS reply normally includes, these 466 servers also included portions of random data, which in many cases looked like a web page's source code.
This was not supposed to happen and was an unintended leak with dire consequences. Because Böck wasn't able to reproduce the error and find out what was wrong, he reached out to Apache's security team.
After an investigation by Apache developer Jacob Champion, the root cause of the Optionsbleed was discovered in the Apache source code, and patch files made available for download.
Optionsbleed affects a small number of servers
Furthermore, Böck and Champion found that Optionsbleed is nowhere near as dangerous as Heartbleed because it can be exploited in certain server configurations only.
These conditions relate to the usage of the "Limit" option in .htaccess files.
< Limits PATCH PUT DELETE >
Deny from all
< /Limits >
Server admins place .htaccess files inside Apache server folders in order to set up rules that apply only in that file directory. Server owners use the .htaccess "Limit" option to control to which requests the server answers in that folder alone.
Böck and Champion say that when .htaccess files feature rules contradictory with the limits placed in the .htaccess files placed in upper directories or with the general server config, Apache is confused and the Optionsbleed vulnerability occurs.
In technical terms, this is a use-after-free vulnerability that leaks content from the Apache's nearby memory slots.
Bug known since 2014
A user commenting on Böck's discovery pointed out that this bug was previously described in a 2014 paper by researchers from the Old Dominion University in the US.
Despite the issue being known for three years, and re-reported these past weeks, the Apache web server team has not released new server binaries that address the bug. Only patch files are available, for Apache branches 2.4.x and 2.2.x.
Apache servers running on shared environments, where several users deploy different .htaccess files on the same machine, are the ones affected by Optionsbleed the most. Nonetheless, all server owners are advised to install the patches just to be sure. A script to test for Optionsbleed is available here.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Comments
GT500 - 7 years ago
I'm glad I use NGINX. Granted it isn't without its own security issues as well, and might even be more popular than Apache these days (it's certainly more efficient and more capable of handling large amounts of traffic).
I also have a cron job set up to run frequently to update important services such as NGINX, PHP, OpenSSL, etc. That way, if there's a security issue and I don't hear about it until days after the patch is released, then I don't have to worry about my server sitting there with an unpatched and vulnerable service running on it.