Cyber Alert: Optionsbleed Vulnerability for Apache Web Servers
Date Issued: September 20, 2017
The Multi-State Information Sharing and Analysis Center (MS-ISAC) is aware of a use-after-free memory bug called “Optionsbleed” affecting the Apache Web Server program, httpd. The bug allows for a corrupted “Allow” header, possibly including sensitive data, to be constructed in response to an HTTP OPTIONS request. The greatest threat is to organizations that have outsourced servers to a web hosting provider, although there is a limited threat to organizations hosting its own webserver.
Apache’s configuration is spread throughout the directory tree using “.htaccess.” This file sets configuration options for the resident directory, unless another .htaccess, is present lower in the structure. This structure allows for multiple websites, or virtual hosts, to only use one server, one directory tree, and one copy of httpd. Virtual hosts could represent multiple departments within an organization or multiple customers within a shared web hosting service, and the .htaccess file allows for each customer to configure their directory subtree.
Within the .htaccess file there are settings, which Apache calls directives. Within the directives, there is a configuration setting called Limits, which allows an administrator to limit allowed methods within the current directory tree. The HTTP OPTIONS method is used so a user knows what official methods the web server supports. Normal server OPTIONS replies do not contain body content. Setting an inapplicable Limit causes Apache to free up the memory, but Apache continues to refer to the memory space, even if the memory has been reallocated to another part of the Apache program.
The Optionsbleed vulnerability exists when a misconfigured .htaccess file causes the OPTIONS response to contain body content associated with the freed memory. The Optionsbleed vulnerability will only work when the misconfigured .htaccess file is queried. Thus if any of the HTTP methods an administrator configures in their directive are not applicable, the Optionsbleed vulnerability is triggered and the data returned comes from the memory of the Apache server software, which can include content from other websites or from the server itself and possibly include sensitive information. An unauthenticated, remote attacker can purposely trigger the vulnerability by sending an HTTP OPTIONS request to the server, affecting environments where multiple websites are on the same web server or when a single website is on a web server. This can be triggered:
- on an Apache Web Server hosting multiple websites on the same web server and when the Limit setting of the webserver’s .htaccess file contains the same HTTP method as any of the individual web site’s .htaccess file being hosted by that server;
- or on any Apache Web Server, regardless of the number of hosted websites, if a non-existent or invalid method is included in the Limit setting of the .htaccess file.
An unauthenticated, remote attacker can also create a website on the web server and purposefully trigger the Optionsbleed bug in their .htaccess file and continuously run OPTIONS requests in order to gather leaked data from a webserver.
Statistically, the Optionsbleed vulnerability affects 0.12% of webservers based off of tests of the Alexa Top 1,000,000 websites.
The MS-ISAC recommends:
- Apply the patch that is available from Apache source code servers at the following link: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
- Ensure that your hosting provider is running a non-affected version of Apache Web Server.
- For locally hosted Apache Web Servers, verify the .htaccess file configuration.
- As other web server software may use Apache Web Server software, apply patches from other web server vendors when applicable.
- Verify no unauthorized system modifications have occurred on the system before applying the patch.
- Frequently validate type and content of uploaded data.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.