Bug 1182703

Summary: VUL-1: apache2: 404 content spoofing in apache
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: atoptsoglou, rfrohl, william.brown
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/278513/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2021-02-24 17:00:30 UTC
Wiliam sent us privately the below report: 

https://ma.ttias.be/prevent-content-spoofing-apache-404-error-pages/

I was recently made aware of this through another project. I have checked a default apache2 install on suse and I was not able to reproduce, but I could be making a mistake in my reproduction steps. I can't see any of the mitigation steps in the default config so "in theory" it may affect us.

I thought it would be better to let you know so you can double check, and see if we need to action anything for our default apache2 installs.

Thanks, and have a great day! 

—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
Comment 1 Alexandros Toptsoglou 2021-02-24 17:01:18 UTC
I investigated it a bit but surely not
thoroughly. I tried to create in SLE15-LTSS a virtual host and re-create
the POC but actually nothing happens, other than the normal 404 error
and if I create a custom DNS to example.com to point in my localhost
using the POC I get redirected to the legitimate example.com. Not sure
if I do something wrong in between though.
I found similar references at [0] [1] [2] [3] [4] [5]. 

[0] https://access.redhat.com/solutions/3060531
[1]https://bugzilla.redhat.com/show_bug.cgi?id=921451
[2]https://bz.apache.org/bugzilla/show_bug.cgi?id=59772
[3]https://hackerone.com/reports/106350
[4]https://bugzilla.mozilla.org/show_bug.cgi?id=850546
[5]https://bugzilla.redhat.com/show_bug.cgi?id=1444151
Comment 2 Alexandros Toptsoglou 2021-02-24 17:02:45 UTC
I keep this bug private for now just for having a discussion. Petr do you remember having seen similar reports in the past?
Comment 4 Petr Gajdos 2021-03-03 13:42:02 UTC
In my opinion:

You cannot reproduce on default install, because:
1. it depends on ErrorDocument setting,
2. it depends on Apache httpd version.

Ad 1]

While we set

 ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var

and as this document by no means pulls requested URI, we are safe (modulo this content spoofing issue, I cannot comment on what impact it could have). In case when someone sets

  ErrorDocument 404 default

or does not set it at all, hardcoded response in modules/http/http_protocol.c is used. This is where httpd version comes into play.

Ad 2]

The issue of default responses in question was silenced by

http://svn.apache.org/viewvc?view=revision&revision=1864191

I am surprised I see CVE-2019-10092 tag there, at least I am not used to find it in upstream ChangeLog at all. Anyway, bug 1145740 shows then that I have marked unrelated commit as a fix for CVE-2019-10092.

So we can perhaps proceed with new security update with apache2-CVE-2019-10092.patch extended by r1864191 changes. What do you think?
Comment 5 Alexandros Toptsoglou 2021-03-04 13:12:06 UTC
> I am surprised I see CVE-2019-10092 tag there, at least I am not used to
> find it in upstream ChangeLog at all. Anyway, bug 1145740 shows then that I
> have marked unrelated commit as a fix for CVE-2019-10092.
> 
> So we can perhaps proceed with new security update with
> apache2-CVE-2019-10092.patch extended by r1864191 changes. What do you think?

Yes let's do it like this. Thanks for investigating.
Comment 6 Petr Gajdos 2021-03-04 16:13:24 UTC
For potential testing:

httpd.conf could look like:
-----------------8<-----------------
ServerName test
User abuild
Group abuild
Listen 60080
PidFile /tmp/apache-rex/core-ErrorDocument-basic/pid
ErrorLog /tmp/apache-rex/core-ErrorDocument-basic/error_log
LoadModule auth_basic_module /usr/lib64/apache2-prefork/mod_auth_basic.so
LoadModule dir_module /usr/lib64/apache2-prefork/mod_dir.so
LoadModule authz_host_module /usr/lib64/apache2-prefork/mod_authz_host.so
LoadModule authz_core_module /usr/lib64/apache2-prefork/mod_authz_core.so
DocumentRoot /tmp/apache-rex/core-ErrorDocument-basic/htdocs
DirectoryIndex index.html

### example configuration

ErrorDocument 404 default
---------------->8------------------

$ su abuild
$ /usr/sbin/httpd -f /tmp/apache-rex/core-ErrorDocument-basic/httpd.conf
$ curl http://localhost:60080/bleble

The response should not contain not existing /bleble uri, i. e:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>
Comment 7 Petr Gajdos 2021-03-04 16:20:01 UTC
Submitted for 15,12sp2,11sp1/apache2.

I believe all fixed.
Comment 10 Swamp Workflow Management 2021-03-12 20:22:05 UTC
SUSE-SU-2021:0779-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1145740,1182703
CVE References: CVE-2019-10092
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    apache2-2.4.23-29.69.1
SUSE Linux Enterprise Server 12-SP5 (src):    apache2-2.4.23-29.69.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-06-17 19:20:31 UTC
SUSE-SU-2021:2004-1: An update that solves 6 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1145740,1180530,1182703,1186922,1186923,1186924,1187017,1187174
CVE References: CVE-2019-10092,CVE-2020-35452,CVE-2021-26690,CVE-2021-26691,CVE-2021-30641,CVE-2021-31618
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    apache2-2.4.33-3.50.1
SUSE Manager Retail Branch Server 4.0 (src):    apache2-2.4.33-3.50.1
SUSE Manager Proxy 4.0 (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise Server for SAP 15 (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise Server 15-LTSS (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    apache2-2.4.33-3.50.1
SUSE Enterprise Storage 6 (src):    apache2-2.4.33-3.50.1
SUSE CaaS Platform 4.0 (src):    apache2-2.4.33-3.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Marcus Meissner 2021-08-09 12:33:45 UTC
done