ADVISORY: Patch Apache Web Servers for Optionsbleed vulnerability

Friday, September 22, 2017

This advisory is intended for U-M IT staff who are responsible for Apache Web Server installations.

Summary: 

A security vulnerability in Apache Web Server, named Optionsbleed, exists when a misconfiguration causes an HTTP OPTIONS response to leak data from a server’s memory. OPTIONS requests are designed to ask a server which HTTP request methods it allows for a specific web page. The server is supposed to answer with a list of supported methods. With Optionsbleed, a remote attacker may attempt to use an OPTIONS request to return other data from the server’s memory.

Problem: 

The leaks can include memory data from the server process that may contain secrets and potentially sensitive data. The memory pieces change after multiple requests, so a vulnerable host can leak different amounts of memory. This does not occur consistently. It seems to occur only on busy servers and sometimes only after multiple requests. Optionsbleed is similar in nature to Heartbleed because attackers can query servers and trick Apache into responding with more data than intended. However, the impact with Optionsbleed is less severe because it leaks small, arbitrary pieces of memory, is exploitable only on vulnerable versions of Apache Web Server with a very specific configuration, and does not occur with every OPTIONS request on vulnerable servers.

Affected Versions: 
  • Apache Web Server 2.2.34 and prior
  • Apache Web Server 2.4.x through 2.4.27
Action Items: 
  • Ensure that your hosting provider is running a non-affected version of Apache Web Server.
  • Check your Apache web server configuration files, including .htaccess files, to make sure that only valid HTTP methods are listed within any “Limit” directives.
  • Check your Apache logs for repeated use of the “OPTIONS” command and notify security@umich.edu if evidence of that potential attack activity is found.
  • After appropriate testing, apply the Apache patch for Optionsbleed to Apache software that you manage.
  • As other web server software may include Apache Web Server software as a component, apply patches from other web server vendors when applicable.
Threats: 

Leaked data in an OPTIONS request can include pieces of memory from the server process that may contain secrets and other potentially sensitive data. There is additional risk in shared hosting environments because the corruption is not limited to a single virtual host. An attacker of a shared hosting provider could cause this corruption to extract secret data from other hosts on the same system.

Technical Details: 

The Optionsbleed vulnerability exists when a misconfiguration causes the OPTIONS response to contain data from memory. If any of the HTTP methods configured in the settings are not applicable, the Optionsbleed vulnerability can be triggered when a vulnerable version of Apache is in use. In this case, the data returned by an OPTIONS response comes from the memory of the Apache server software. This can include content from other customers or from the server itself.

An unauthenticated, remote attacker can trigger the vulnerability by sending an HTTP OPTIONS request to the server, affecting both environments where multiple websites are on the same web server or when a single website is on a web server. This can be triggered on any Apache Web Server, regardless of the number of hosted websites, where a non-existent or invalid method is included in the Limit directive of an Apache configuration file, such as an .htaccess file.

 

Detection: 

Remote detection of the vulnerability is difficult due to the nondeterministic nature of the the bug. It doesn't appear consistently and seems to appear only on busy servers. Sometimes it only appears after multiple requests. Setting a Limit directive for any invalid HTTP method in an .htaccess file or other Apache configuration file will cause a use-after-free error in the construction of the Allow header, which was also detectable with Address Sanitizer (However, ASAN doesn't work reliably due to the memory allocation abstraction done by APR.).

The most reliable detection method is to examine the Apache version and the Apache server configuration, including within any .htaccess files.

Information for Users: 

This vulnerability only affects servers, so general users will not encounter it.

Questions, Concerns, Reports: 

Please contact info-assurance@umich.edu.