Bug 1163555 (CVE-2014-3583)

Summary: CVE-2014-3583 httpd: mod_proxy_fcgi handle_headers() buffer over read
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aneelica, cdewolf, ceph-eng-bugs, dandread, darran.lofthouse, dknox, fnasser, huwang, jason.greene, jawilson, jclere, jdoyle, jkaluza, jorton, lgao, mmaslano, myarboro, pahan, pgier, pslavice, rmeggins, rsvoboda, sisharma, twalsh, vdanen, vtunka, webstack-team, weli
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd 2.4.11 Doc Type: Bug Fix
Doc Text:
A buffer overflow flaw was found in mod_proxy_fcgi's handle_headers() function. A malicious FastCGI server that httpd is configured to connect to could send a carefully crafted response that would cause an httpd child process handling the request to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-02 05:46:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1163556, 1167515, 1257049    
Bug Blocks: 1163562    

Description Murray McAllister 2014-11-13 02:36:35 UTC 
The following flaw has been fixed in the Apache HTTP Server:

"A buffer overflow was found in mod_proxy_fcgi. A malicious FastCGI server could send a carefully crafted response which could lead to a heap buffer overflow."

Patch for trunk:

http://svn.apache.org/viewvc?view=revision&revision=1638818

External References:

http://httpd.apache.org/security/vulnerabilities_24.html
Comment 1 Murray McAllister 2014-11-13 02:38:47 UTC 
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1163556]
Comment 2 Arun Babu Neelicattu 2014-11-13 08:52:49 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 5, 6 and 7, Red Hat Software Collections 1, Red Hat JBoss Web Server 1 and 2, and Red Hat JBoss Enterprise Application Platform 6.
Comment 3 Tomas Hoger 2014-11-14 12:35:38 UTC 
The affected mod_proxy_fcgi module was first introduced upstream in version 2.4 (or development version 2.3).  The httpd version 2.4 is currently only available in Red Hat Enterprise Linux 7 and Red Hat Software Collections 1.  Other Red Hat products that include httpd use older upstream versions (2.2 or 2.0) that do not include the mod_proxy_fcgi module.
Comment 5 Tomas Hoger 2014-11-24 21:11:57 UTC 
This is a buffer over read issue in the handle_headers() function in mod_proxy_fcgi.  The function iterates over the input string buffer until it finds end of headers (delimited using \n\n or \r\n\r\n, or until \0 if found to indicate end of string).  Before the fix, the function did not get the length of the buffer, or pointer to its end, so it could not detect end of buffer and prevent read past the end of buffer.

In httpd 2.4.10, the buffer passed to the handle_headers() can either be stack or heap based.  Only stack based buffer is used in earlier versions.

This issue can be triggered by a malicious FastCGI server that httpd is configured to connect to.  It may also be triggered if non-malicious FastCGI server is made to generate a response with unexpectedly large headers.

Considering that over read stops when the first \0 byte is encountered, this seems unlikely to lead to easily reproducible crash.  Additionally, crash would be limited to a specific httpd child process handling the request.
Comment 8 Tomas Hoger 2014-11-25 12:25:42 UTC 
This flaw was introduced via the following commit:

http://svn.apache.org/viewvc?view=revision&revision=1594537

Prior to the change, the code ensured that the buffer passed to the handle_headers() function was always properly NUL terminated, as was expected by the function.

The change was added in the httpd upstream version 2.4.10, which is the only version affected by this flaw.  The upstream vulnerabilities page is now updated to no longer list 2.4.1 - 2.4.9 as affected by this issue.

The httpd packages in Red Hat Enterprise Linux 7 and Red Hat Software Collections 1 are based on upstream version 2.4.6 and were not affected by this issue.
Comment 9 Tomas Hoger 2014-11-25 12:29:15 UTC 
(In reply to Tomas Hoger from comment #5)
> In httpd 2.4.10, the buffer passed to the handle_headers() can either be
> stack or heap based.  Only stack based buffer is used in earlier versions.

Relevant upstream commit is:

http://svn.apache.org/viewvc?view=revision&revision=1601749
Comment 10 Fedora Update System 2015-02-28 10:22:48 UTC 
httpd-2.4.10-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-03-16 01:41:37 UTC 
httpd-2.4.10-15.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2015-05-03 23:12:59 UTC 
mod_proxy_fcgi-2.4.10-1.20150415gitd45a11f.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2015-10-01 20:26:07 UTC 
This issue has been addressed in the following products:

  Red Hat Common for RHEL 6

Via RHSA-2015:1855 https://rhn.redhat.com/errata/RHSA-2015-1855.html
Comment 15 errata-xmlrpc 2015-10-01 21:01:10 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.2 for CentOS 6

Via RHSA-2015:1858 https://access.redhat.com/errata/RHSA-2015:1858