SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


"OptionBleed" memory disclosure vulnerability in Apache (Sep 22, 2017)



Description


A memory disclosure vulnerability "Optionbleed" was reported on the Apache Server. This vulnerability is caused by a use-after-free bug in the httpd application. A remote attacker can send a certain crafted HTTP OPTIONS request and reveal small chunks of server memory, causing sensitive information leakage.

The cause of this vulnerability is on the .htaccess configuration file. When the Limited directive is set for a user for a HTTP method that is not globally registered in the server, then a memory corruption vulnerability is triggered. According to Hanno Bock, discoverer of this vulnerability. Below is one example of the memory leak:

Allow: ,GET,,,POST,OPTIONS,HEAD,,
Allow: POST,OPTIONS,,HEAD,:09:44 GMT
Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
Allow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE

The leaked data looks quite similar to the critical vulnerability "HeartBleed" on the OpenSSL Library in Apr 2014, although the data chunck is much smaller than HeartBleed's 64kb. Also there is no way to distinguish normal and attack traffic, makes this attack hard to detect.

A massive on the Alaxa top 1 million websites shows that 466 servers has misconfigured the .htaccess file and sent back odd responses with an Allow header containing what appeared to be corrupted data.

Apache has officially released patches for this vulnerability:

  • https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
  • https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch

Now Apache server will deny the new methods appeared in .htaccess file.

We recommend Apache users upgrade their server with the latest patch as soon as possible, and also check the LIMIT section under the .htaccess to prevent the vulnerability. SonicWall has also developed the following signature to identify and stop the attacks:

  • App Control 12986: "HTTP Protocol -- OPTIONS"

Instructions on configuring the SonicWall App Control feature: https://www.sonicwall.com/en-us/support/knowledge-base/170505381440321

References:

  1. Optionsbleed - HTTP OPTIONS method can leak Apache's server memory, https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.7 | S2MSW01