Bug 1695020 (CVE-2019-0217) - CVE-2019-0217 httpd: mod_auth_digest: access control bypass due to race condition
Summary: CVE-2019-0217 httpd: mod_auth_digest: access control bypass due to race condi...
Status: NEW
Alias: CVE-2019-0217
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190401,repor...
Keywords: Security
Depends On: 1696140 1696141 1696142 1695046
Blocks: 1694984
TreeView+ depends on / blocked
 
Reported: 2019-04-02 10:10 UTC by Dhananjay Arunesh
Modified: 2019-07-08 08:57 UTC (History)
31 users (show)

(edit)
A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-04-02 10:10:17 UTC
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

Comment 3 Dhananjay Arunesh 2019-04-02 11:32:50 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1695046]

Comment 4 Huzaifa S. Sidhpurwala 2019-04-04 06:55:06 UTC
Upstream patch:

http://svn.apache.org/viewvc?view=revision&revision=1855298

Comment 8 Huzaifa S. Sidhpurwala 2019-04-04 08:31:10 UTC
Analysis:

This issue only affected Digest authentication configurations. If the attacker is able to win the race condition, it is possible that with valid credentials of one user, the attacker can login as some other user (without knowing the credentials for that user). Also only threaded MPM configurations are affected.

Red Hat Enterprise Linux 7 and Red Hat Software Collections do not ship httpd package in threaded MPM configuration by default.

Based on the the fact that digest authentication is rarely used in modern day web applications and httpd package shipped with Red Hat products do not ship threaded MPM configuration by default, this flaw has been rated as having Moderate level security impact.

Comment 12 Doran Moppert 2019-04-09 02:46:05 UTC
rhvm-appliance does not use Digest authentication, thus marking it notaffected.

Comment 15 Huzaifa S. Sidhpurwala 2019-05-15 09:41:31 UTC
Statement:

Based on the the fact that digest authentication is rarely used in modern day web applications and httpd package shipped with Red Hat products do not ship threaded MPM configuration by default, this flaw has been rated as having Moderate level security impact. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This flaw has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 18 Huzaifa S. Sidhpurwala 2019-05-22 05:58:47 UTC
Mitigation:

This flaw only affects a threaded server configuration, so using the prefork MPM is an effective mitigation.  In versions of httpd package shipped with Red Hat Enterprise Linux 7, the prefork MPM is the default configuration.


Note You need to log in before you can comment on or make changes to this bug.