000012004 - Apache vulnerabilities shown in RCM/RRM 6.7 and 6.8

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012004
Applies ToRCM 6.7 shows vulnerabilities with Apache 1.3.33
RCM 6.8 shows vulnerabilities with Apache 1.3.39
RSA Certificate Manager 6.7
RSA Certificate Manager 6.8
RSA Registration Manager 6.8
2003 Server SP2
Issue1) Vulnerability:
Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability Allow attackers to execute arbitrary code. 
Requisites: 'RewriteEngine on', RewriteRule flags do not have Forbidden (F), Gone (G), or NoEscape (NE), an rules that modify a rewritten URL.

Analysis:
Product uses the Rewrite engine only for handling SCEP requests.
The rule we use is RewriteRule ^/([^/])/pkiclient.exe /pkiclient.exe?id=$1 [QSA] and as per this rule, the URL http://myserver:446/<jur_id>/pkiclient.exe)gets converted to http://myserver:446/pkiclient_<jur.exe?id=<jur_id>.
2) Vulnerability:
Mod_SSL Wildcard DNS Cross Site Scripting Vulnerability This vulnerability is limited to configurations with both the 'UseCanonicalName' option turned off and wildcard DNS enabled. Attacker may be able to exploit this issue via a malicious link containing arbitrary HTML and script code as part of the hostname.
 
Analysis:
'UseCanonicalName' directive is turned on in httpd.conf and its set to on by default by Apache. Hence, this vulnerability does not apply to RCM.
3) Vulnerability:
Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow Vulnerability A stack-based buffer overflow has been reported in the Apache mod_ssl module. The ssl_util_uuencode_binary() function copies client certificate data into a buffer without sufficient checks on the size of the counter for how much data is left to be copied. "FakeBasicAuth" option must be enabled and malicious cert from a trusted CA must exist for this vulnerability to occur.

Analysis:

In httpd.conf the directive SSLOptions is set as SSLOptions +StdEnvVars for administration, Enrollment, Renewal and SCEP servers. SSLOptions with FakeBasicAuth is commented out by default by Apache.Based on this, this vulnerability does not apply to RCM.
4) Vulnerability:
SSL Server Supports Weak Encryption
SSL Server supports weak encryption keys with lengths of less than 128bits

Analysis:

SSLCipherSuite option is set with ALL by default. We can change SSLCipherSuite directive, to support only high and medium strength ciphers keys.

Solution:  Add to the httpd.conf file:  SSLCipherSuite HIGH:MEDIUM

Sample usage:
SSLCipherSuite HIGH:+MEDIUM
5) Vulnerability:
Web Server HTTP TRACE Method Supported a client sending the TRACE command to a web server will receive an echo of the entire request, including HTTP headers (e.g. cookies, auth data).

Analysis:
Disable TRACE method, e.g. TraceEnable OFF in Version 1.3.34 and 2.0.55 (or newer).  Older versions: Under Apache, this can be done using the mod_rewrite module, with the following syntax: RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F].

'TraceEnable' directive is available only in Apache 1.3.34, 2.0.55 and later.  RCM 6.7 Apache HTTP Server version: 1.3.33. Based on this, this vulnerability does not apply to RCM.

Reference:
http://httpd.apache.org/docs/1.3/mod/core.html#traceenable


6) Vulnerability:
Apache Expect Header Cross-Site Scripting Vulnerability Application fails to sanitize HTTP Expect headers when it is redirected to an error message.

Analysis:
There is an exploit for "Apache Expect Header Cross-Site Scripting Vulnerability" available at: http://www.securityfocus.com/archive/1/433280. This site has the test tool, to test this vulnerability.

If client request has the request with XSS Expect header (Header field value with script tags instead of "100-continue"), server does not escape the html tags while sending response back to the client.

We can apply the code changes (one line of code change in http_protocol.c file) from higher version of apache and fix this issue in RCM 6.7 apache 1.3.33. If you need the fixed binary for RCM 6.7, contact customer support.


7) Vulnerability:
Apache Web Server MIME Boundary Information Disclosure Vulnerability may result in the disclosure of sensitive information. Specifically, the getpid() function is used when generating MIME message boundaries. Discloses the Apache PID to a remote attacker.  Access to PID may aid an attacker in launching attacks against target services.

Analysis:
The below links from CVE and security focus http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418 and http://www.securityfocus.com/bid/6943 indicate that the vulnerability exists on Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD. 
 
The vulnerability exists on Apache HTTP servers beyond 1.3.27 also (i.e applicable to RCM 6.7 and RCM 6.8 also) and Apache has not provided a security fix for this vulnerability.
The vulnerability occurs when we use the following headers along with MIME headers in HTTP request:

GET /graphics/producttitle.jpg HTTP/1.1

Host: server1.rsa.net:36443

RANGE: bytes=0-499,601-999

If-Range: "0"

MIME-Version: 1.0

Content-type: image/jpg;

The pid of the process is returned in the message boundary when If-Range value matches the ETag value present in the HTTP Response.

This vulnerability can be circumvented by making Apache not sending the ETag in the HTTP response header. This can be done by including the FileETag directive as shown below in the httpd.conf file.

FileETag None


8) Vulnerability:
SSLv2 Enabled SSLv2 has been deprecated, and due to pervasive security flaws should not be used.

Analysis:
RCM supports this directive by adding SSLProtocol in new line next to SSLCipherSuite.

a . Back up and then open the file WebServer/conf/httpd.conf in a text editor. 

b. Locate the line: 
         SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:SSLv2:+EXP:+eNULL

         Note: There are three occurrences of the above text: one for each of the Enrollment, Administration, and Renewal Servers. 

  c. Modify it to:
       SSLCipherSuite DES-CBC3-SHA

   d. On a new line under each altered SSLCipherSuite, add the SSLProtocol configuration option and value:
       SSLProtocol +TLSv1

   e. Save the httpd.conf file.

Sample usage:
SSLCipherSuite DES-CBC3-SHA
SSLProtocol +TLSv1


9) Vulnerability:
mod_ssl hook functions format string vulnerability

The remote host is using a version vulnerable of mod_ssl which is older than 2.8.19. There is a format string condition in the
log functions of the remote module which may allow an attacker to execute arbitrary code on the remote host.

*** Some vendors patched older versions of mod_ssl, so this
*** might be a false positive. Check with your vendor to determine
*** if you have a version of mod_ssl that is patched for this
*** vulnerability

Solution : Upgrade to version 2.8.19 or newer
Risk factor : High
CVE : CVE-2004-0700
BID : 10736
Other references : OSVDB:7929
12260 Apache HTTP Server Multiple Cross-Site Scripting Vulnerabilities
86809 Apache 1.3, 2.0 and 2.2 HTTP Server Multiple Vulnerabilities
115731 Apache 1.3 and 2.0 Web Server Multiple Vulnerabilities
11) CVE-2008-2168

Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page.

Resolution
Please find the explanations for the above queries.
1) Product uses the Rewrite engine only for handling SCEP requests. The rule we use is
RewriteRule ^/([^/]*)/pkiclient.exe /pkiclient.exe?id=$1 [QSA]
and as per this rule, the URL (http://myserver:446/<jur_id>/pkiclient.exe)gets converted to http://myserver:446/pkiclient_<jur.exe?id=<jur_id>.
Based on this, we can say that the RCM and RRM are not susceptible.
2) 'UseCanonicalName' directive is turned on in httpd.conf and its set to on by default by Apache.
Hence, this vulnerability does not apply to RCM.
3) In httpd.conf the directive SSLOptions is set as
SSLOptions +StdEnvVars for administration, Enrollment, Renewal and SCEP servers.
SSLOptions with FakeBasicAuth is commented out by default by Apache. Based on this, this vulnerability does not apply to RCM.
4) SSLCipherSuite option is set with ALL by default.
We can change SSLCipherSuite directive, to support only high and medium strength ciphers keys.
Sample usage:
SSLCipherSuite HIGH:+MEDIUM
5) 'TraceEnable' directive is available only in Apache 1.3.34, 2.0.55 and later.
RCM 6.7 Apache HTTP Server version: 1.3.33. Based on this, this vulnerability does not apply to RCM.
Reference: http://httpd.apache.org/docs/1.3/mod/core.html#traceenable
6) There are code changes (one line of code change in http_protocol.c file) from higher version of apache. This fix is available for RCM 6.7 build 423 or higher. If you need the fixed binary for RCM 6.7, contact customer support.
7) The affected http versions are Apache HTTP Server 1.3.22 through 1.3.27. RCM 6.7 Apache HTTP Server version: 1.3.33.
Based on this, this vulnerability does not apply to RCM.
Reference http://xforce.iss.net/xforce/xfdb/11438 http://www.securityfocus.com/bid/6943
 

8) RCM supports this directive by adding SSLProtocol in new line next to SSLCipherSuite.
Sample usage:
SSLCipherSuite DES-CBC3-SHA
SSLProtocol +TLSv1

9) RCM 6.7 uses mod_ssl version 2.8.22 for Apache 1.3.33 and RCM 6.8 uses mod_ssl version 2.8.30 for Apache version 1.3.39.

The 'mod_ssl hook functions format string vulnerability' is applicable to mod_ssl versions 2.8.18 and below.
RCM 6.7 and 6.8 are not susceptible to this vulnerability.
 
 
Note: RCM does not use Flash nor does it use Flash plugin. Hence, this vulnerability does not apply to RCM.
 
11) The vulnerability is reported in 2008. According to the information from  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2168, it is not applicable to Apache 1.3.39.
RSA Certification Manager 6.8 is using Apache 1.3.39


The following are the multiple vulnerabilities affects 1.3.33 Apache version (taken from apache.org)

1) mod_imap Referer Cross-Site Scripting CVE-2005-3352
   The WebServer is not built with mod_imap in RSA Certificate Manager (RCM) and RSA Registration Manager (RRM)

2) Expect header Cross-Site Scripting CVE-2006-3918
   The fix for this vulnerability is already present in RCM, RRM 6.7 and 6.8. Please refer CERTMGR-3544

3) mod_rewrite off-by-one error CVE-2006-3747
   Product uses the Rewrite engine only for handling SCEP requests. The rule we use is RewriteRule ^/([^/]*)/pkiclient.exe /pkiclient.exe?id=$1 [QSA]and as per this rule, the URL (http://myserver:446/<jur_id>/pkiclient.exe)gets converted to http://myserver:446/pkiclient_<jur.exe?id=<jur_id>.Based on this, we can say that the RCM and RRM are not susceptible. RCM/RRM don't use authentication cookies.
  
4) mod_status cross-site scripting CVE-2006-5752
   RCM /RRM is not compiled with mod_imap. WebSever is built with mod_status in RCM and RRM. Cross-Site Scripting exploitation requires that "mod_status" is enabled and that the status pages are publicly accessible. By default, "mod_status" is disabled in RCM and RRM. The Webserver is vulnerable for Cross-Site Scripting if "mod_status" is enabled by uncommenting the following lines in httpd.conf file of RCM and RRM.

5) mod_imap XSS CVE-2007-5000
   Addressed in point 1.
  
6) mod_status XSS CVE-2007-6388
   Addressed in 4.
  
7) mod_proxy overflow on 64-bit systems CVE-2010-0010
   RCM /RRM is not compiled with mod_proxy.


The following are the multiple vulnerabilities affects 1.3.39 Apache version (taken from apache.org)

8) mod_imap XSS CVE-2007-5000
   Addressed in point in 1.

9) mod_status XSS CVE-2007-6388
   Addressed in point 4.

10) mod_proxy overflow on 64-bit systems CVE-2010-0010
    Addressed in point 7
Legacy Article IDa44543

Attachments

    Outcomes