exploit the possibilities

Apache 2.4.20 X509 Authentication Bypass

Apache 2.4.20 X509 Authentication Bypass
Posted Jul 5, 2016
Authored by Erki Aring | Site httpd.apache.org

Apache HTTPD WebServer versions 2.4.18 through 2.4.20 do not validate an X509 client certificate correctly when the experimental module for the HTTP/2 protocol is used to access a resource.

tags | advisory, web, protocol
advisories | CVE-2016-4979
MD5 | b5c0ac0ce5351e0eb9891688f3492318

Apache 2.4.20 X509 Authentication Bypass

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Security Advisory - Apache Software Foundation
Apache HTTPD WebServer / httpd.apache.org

X509 Client certificate based authentication can
be bypassed when HTTP/2 is used

CVE-2016-4979 / CVSS 7.5

The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509
client certificate correctly when experimental module for the HTTP/2
protocol is used to access a resource.

The net result is that a resource that should require a valid client certificate
in order to get access can be accessed without that credential.

Background:
- -----------

Apache can control access to resources based on various things; such as
a password, IP address and so on. One of the options, when SSL or TLS is
used, is gating access based on the client having access to a private-key of
a X509 client certificate. These client certificates are typically held on
a chipcard (e.g. the CAC card in the US, national identity, banking cards
or, for example, medical-chip cards in Europe). In some cases they
are 'soft tokens' - i.e. files, often called PKCS#12 files, which are loaded
into the browser or the 'keychain'.

Gating access based on a client certificate is done by adding a line such as

SSLVerifyClient require

to the httpd configuration; along with a list of trusted client certificate
authorities (SSLCACertificateFile).

Version 2.4.17 of the Apache HTTP Server introduced an experimental feature:
mod_http2 for the HTTP/2 protocol (RFC7540, previous versions were known as
Google SPDY).

This module is NOT compiled in by default -and- is not enabled by default,
although some distribution may have chosen to do so.

It is generally needs to be enabled in the 'Protocols' line in httpd by
adding 'h2' and/or 'h2c' to the 'http/1.1' only default.

The default distributions of the Apache Software Foundation do not include
this experimental feature.

Details:
- --------

- From version 2.4.18, upto and including version 2.4.20 the server failed
to take the (failed/absent) client certificate validation into account
when providing access to a resource over HTTP/2. This issue has been fixed
in version 2.4.23 (r1750779).

As a result - a resource thought to be secure and requiring a valid
client certificate - would be accessible without authentication
provided that the mod_http2 was loaded, h2 or h2c activated, that
that the browser used the HTTP/2 protocol and it would do more than
one request over a given connection.

Impact:
- -------

A third party can gain access to resources on the web server without
the requisite credentials.

This can then lead to unauthorised disclosure of information.

Versions affected:
- ------------------
All versions from 2.4.18 to 2.4.20. The issue is fixed in
version 2.4.23 (released 2015-6-5)

Resolution:
- -----------

Upgrade to version 2.4.23 or newer.

Mitigations and work arounds:
- -----------------------------

As a temporary workaround - HTTP/2 can be disabled by changing
the configuration by removing h2 and h2c from the Protocols
line(s) in the configuration file.

The resulting line should read:

Protocols http/1.1

Credits and timeline
- --------------------

The flaw was found and reported by Erki Aring <erki@example.ee>
from Liewenthal Electronics Ltd on 2016-06-30. The issue was
resolved by Stefan Eissing that same day and incorporated in
the release of 5th of July 2015 (thus avoiding a bank holiday).

Apache would like to thank all involved for their help with this.

Common Vulnerability Scoring (Version 3) and vector
- ---------------------------------------------------

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C

CVSS Base Score 7.5
CVSS Temporal Score 7.0

1.05 / : 2339 $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4
Comment: This message is encrypted and/or signed with PGP (gnu-pg, gpg). Contact dirkx@webweaving.org if you cannot read it.

iEYEARECAAYFAld7tMsACgkQ/W+IxiHQpxv09QCgwsaUxNZ0wzZGzozI0el0pqYz
fj0AniAprYMTe0NfLTdUpqIavRSEeCbb
=/FBv
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    27 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    0 Files
  • 10
    May 10th
    0 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close