Bug 1470748 - (CVE-2017-9788) CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170711,repo...
: Security
Depends On: 1470756 1472846 1473693 1473696 1474738 1474739 1474742 1473691 1473692 1473697
Blocks: 1470755
  Show dependency treegraph
 
Reported: 2017-07-13 10:45 EDT by Adam Mariš
Modified: 2017-08-16 19:07 EDT (History)
46 users (show)

See Also:
Fixed In Version: httpd 2.2.34, httpd 2.4.27
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-07-13 10:45:44 EDT
The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault.

Affected are all versions through 2.2.33 and 2.4.26.

External References:

https://httpd.apache.org/security/vulnerabilities_22.html#2.2.34
https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27
Comment 1 Adam Mariš 2017-07-13 11:02:49 EDT
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1470756]
Comment 2 Stefan Cornelius 2017-07-19 04:57:09 EDT
Patch:

http://svn.apache.org/viewvc?view=revision&revision=1800919
Comment 11 Stefan Cornelius 2017-07-26 09:16:39 EDT
Mitigation:

If you do not use digest authentication, do not load the "auth_digest_module".

For example, on RHEL 7, this can be done by commenting out or removing the
"LoadModule auth_digest_module modules/mod_auth_digest.so"
line within the /etc/httpd/conf.modules.d/00-base.conf configuration file and restarting the service.

You can then use the "httpd -t -D DUMP_MODULES" command to verify that the module is no longer loaded.
Comment 14 errata-xmlrpc 2017-08-15 14:14:22 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:2478 https://access.redhat.com/errata/RHSA-2017:2478
Comment 15 errata-xmlrpc 2017-08-15 14:27:00 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2479 https://access.redhat.com/errata/RHSA-2017:2479
Comment 16 errata-xmlrpc 2017-08-16 19:07:41 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2483 https://access.redhat.com/errata/RHSA-2017:2483

Note You need to log in before you can comment on or make changes to this bug.