According to the Computer Emergency Response Team (CERT) Coordination Center, a malformed request sent to Web servers based on Apache code versions 1.3 through 1.3.24 and versions 2.0 through 2.0.36 can crash or even lead to the exploitation of some servers.
The warning, which was first reported by Internet Security Systems (ISS), has created bad blood in the software security space, as Apache officials were upset they weren''t first notified before ISS issued its advisory and patch. "We were also notified today by ISS that they had published the same issue which has forced the early release of this advisory," the Foundation said.
It added that the security patch issued by ISS "does not correct this vulnerability."
The Apache Foundation said versions of its Web server up to and including 1.3.24 and 2.0 up to and including 2.0.36 and 2.0.36-dev versions contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. The vulnerability could be triggered remotely by sending a carefully crafted invalid request, which is enabled by default, it explained.
"In most cases the outcome of the invalid request is that the child process dealing with the request will terminate. At the least, this could help a remote attacker launch a denial of service attack as the parent process will eventually have to replace the terminated child process and starting new children uses non-trivial amounts of resources," Apache said.
Because Apache servers on the Windows and NetWare platforms run one multithreaded child process to service requests, the Foundation said the teardown and subsequent setup time to replace the lost child process presents a significant interruption of service. "As the Windows and Netware ports create a new process and reread the configuration, rather than fork a child process, this delay is much more pronounced than on other platforms," it explained.
In the Apache 2.0 version, it said the error condition is correctly detected and would not allow an attacker to execute code on the server. In Apache 1.3, it said the issue causes a stack overflow.
"Due to the nature of the overflow on 32-bit Unix platforms this will cause a segmentation violation and the child will terminate. However on 64-bit platforms the overflow can be controlled and so for platforms that store return addresses on the stack it is likely that it is further exploitable. This could allow arbitrary code to be run on the server as the user the Apache children are set to run as," Apache said, adding that Apache 1.3 on Windows was also exploitable in this way.
While the Apache Foundation has released two new versions to correct vulnerability, it said a comprehensive patch would be posted on its Web site.
The CERT advisory said vendor patches should be used to correct the vulnerability but warned that statements from affected vendors may not be readily available "because the publication of this advisory was unexpectedly accelerated," an obvious reference to the brouhaha over the way the ISS handled the issue.
Meanwhile, the ISS issued a rebuttal statement, confirming the patch it issued will not work "if the DoS vulnerability is related to the (stack) overflow."
"If the DoS vulnerability is related to the overflow then the ISS patch will work to prevent it. The unsigned comparison prevents any stack overflow and as a result any related DoS issue is prevented. If the DoS issue is unrelated, then of course the ISS patch will not be of any help," the ISS said in a statement posted on the BugTraq list.