This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 750935 - (CVE-2011-4415) CVE-2011-4415 httpd: SetEnvIf resource exhaustion
CVE-2011-4415 httpd: SetEnvIf resource exhaustion
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20111102,reported=2...
: Security
Depends On:
Blocks: 750936
  Show dependency treegraph
 
Reported: 2011-11-02 17:14 EDT by Vincent Danen
Modified: 2012-01-27 15:43 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-22 09:44:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-11-02 17:14:55 EDT
It was reported [1] that an integer overflow was found in Apache in the ap_pregsub() function called from mod-setenvif.  When a header field is mangled using SetEnvIf, the new environment variable data can be multiples of the size of the submitted header field.  This would cause ap_pregsub() to overflow the length value in buffer size calculations, leading to the subsequent allocation call of a too-small buffer.  Filling this buffer with user-supplied data will lead to a buffer overflow.

Depending on the input data, this can lead to excessive allocation of server memory (resulting in killed processes due to out-of-memory conditions), invalid memory access when copying large amounts of data (which can lead to a termination of the httpd process), or possibly allowing the execution of arbitrary code.

To trigger this flaw, mod_setenvif must be enabled (the default) and the attacker needs to be able to place a crafted .htaccess file on the server (which, in most cases, would require local access to the file system or some web interface that allows for writing arbitrary files to the local file system, such as for custom .htaccess files).

There is currently no upstream fix, however to work around the problem, disable mod_setenvif.

[1] http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
Comment 1 Vincent Danen 2011-11-02 17:19:47 EDT
Created httpd tracking bugs for this issue

Affects: fedora-all [bug 750937]
Comment 3 Vincent Danen 2011-11-08 10:24:19 EST
MITRE has assigned an additional CVE to this issue (CVE-2011-4415), the description of both CVEs are as follows:


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3607 to
the following vulnerability:

Name: CVE-2011-3607
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607
Assigned: 20110921
Reference: http://archives.neohapsis.com/archives/fulldisclosure/2011-11/0023.html
Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html
Reference: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811422
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=750935
Reference: http://www.securityfocus.com/bid/50494
Reference: http://www.osvdb.org/76744
Reference: http://securitytracker.com/id?1026267
Reference: http://secunia.com/advisories/45793
Reference: http://xforce.iss.net/xforce/xfdb/71093

Integer overflow in the ap_pregsub function in server/util.c in the
Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when
the mod_setenvif module is enabled, allows local users to gain
privileges via a .htaccess file with a crafted SetEnvIf directive, in
conjunction with a crafted HTTP request header, leading to a
heap-based buffer overflow.


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4415 to
the following vulnerability:

Name: CVE-2011-4415
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4415
Assigned: 20111108
Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html
Reference: http://www.gossamer-threads.com/lists/apache/dev/403775

The ap_pregsub function in server/util.c in the Apache HTTP Server
2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif
module is enabled, does not restrict the size of values of environment
variables, which allows local users to cause a denial of service
(memory consumption or NULL pointer dereference) via a .htaccess file
with a crafted SetEnvIf directive, in conjunction with a crafted HTTP
request header, related to (1) the "len +=" statement and (2) the
apr_pcalloc function call, a different vulnerability than
CVE-2011-3607.
Comment 4 Tomas Hoger 2011-11-08 10:33:00 EST
Upstream fix adding check for integer overflow:
  http://svn.apache.org/viewvc?view=revision&revision=1198940

It does not add any protection against memory consumption / CVE-2011-4415 issue.
Comment 6 Tomas Hoger 2011-12-01 08:25:36 EST
(In reply to comment #4)
> Upstream fix adding check for integer overflow:
>   http://svn.apache.org/viewvc?view=revision&revision=1198940

This fix is only for trunk and is not applicable to 2.2.x and older httpd versions without further changes.  It's currently unclear if the fix is going to be backported to older httpd branches:
  http://thread.gmane.org/gmane.comp.apache.devel/46260

> It does not add any protection against memory consumption / CVE-2011-4415
> issue.

Upstream discussion on whether resource consumption issues triggered by bad .htaccess configuration should (or can) be handled as security or not:
  http://thread.gmane.org/gmane.comp.apache.devel/46339
Comment 7 Tomas Hoger 2011-12-21 07:53:26 EST
(In reply to comment #6)
> > It does not add any protection against memory consumption / CVE-2011-4415
> > issue.
> 
> Upstream discussion on whether resource consumption issues triggered by bad
> .htaccess configuration should (or can) be handled as security or not:
>   http://thread.gmane.org/gmane.comp.apache.devel/46339

Upstream consensus is that any resource consumption issues triggered by bad .htaccess configuration are not considered security:
  http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46768
Comment 9 Tomas Hoger 2012-01-12 05:32:50 EST
CVE-2011-3607 was split to a separate bug #769844.
Comment 18 Vincent Danen 2012-01-27 15:43:19 EST
The upstream security team does not consider this to be a flaw:

http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46783

Statement:

The ASF Security Team does not consider resource exhaustion caused by .htaccess files to be a security defect.  The Red Hat Security Response Team agrees with their assessment and so does not consider this to be a security flaw.

Note You need to log in before you can comment on or make changes to this bug.