Bug 1182703 – VUL-1: apache2: 404 content spoofing in apache

Bug 1182703 - VUL-1: apache2: 404 content spoofing in apache


Summary:	VUL-1: apache2: 404 content spoofing in apache

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/278513/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-02-24 17:00 UTC by Alexandros Toptsoglou
Modified:	2021-08-09 12:33 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2021-02-24 17:00:30 UTC

Wiliam sent us privately the below report: 

https://ma.ttias.be/prevent-content-spoofing-apache-404-error-pages/

I was recently made aware of this through another project. I have checked a default apache2 install on suse and I was not able to reproduce, but I could be making a mistake in my reproduction steps. I can't see any of the mitigation steps in the default config so "in theory" it may affect us.

I thought it would be better to let you know so you can double check, and see if we need to action anything for our default apache2 installs.

Thanks, and have a great day! 

—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia

Comment 1 Alexandros Toptsoglou 2021-02-24 17:01:18 UTC

I investigated it a bit but surely not
thoroughly. I tried to create in SLE15-LTSS a virtual host and re-create
the POC but actually nothing happens, other than the normal 404 error
and if I create a custom DNS to example.com to point in my localhost
using the POC I get redirected to the legitimate example.com. Not sure
if I do something wrong in between though.
I found similar references at [0] [1] [2] [3] [4] [5]. 

[0] https://access.redhat.com/solutions/3060531
[1]https://bugzilla.redhat.com/show_bug.cgi?id=921451
[2]https://bz.apache.org/bugzilla/show_bug.cgi?id=59772
[3]https://hackerone.com/reports/106350
[4]https://bugzilla.mozilla.org/show_bug.cgi?id=850546
[5]https://bugzilla.redhat.com/show_bug.cgi?id=1444151

Comment 2 Alexandros Toptsoglou 2021-02-24 17:02:45 UTC

I keep this bug private for now just for having a discussion. Petr do you remember having seen similar reports in the past?

Comment 4 Petr Gajdos 2021-03-03 13:42:02 UTC

In my opinion:

You cannot reproduce on default install, because:
1. it depends on ErrorDocument setting,
2. it depends on Apache httpd version.

Ad 1]

While we set

 ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var

and as this document by no means pulls requested URI, we are safe (modulo this content spoofing issue, I cannot comment on what impact it could have). In case when someone sets

  ErrorDocument 404 default

or does not set it at all, hardcoded response in modules/http/http_protocol.c is used. This is where httpd version comes into play.

Ad 2]

The issue of default responses in question was silenced by

http://svn.apache.org/viewvc?view=revision&revision=1864191

I am surprised I see CVE-2019-10092 tag there, at least I am not used to find it in upstream ChangeLog at all. Anyway, bug 1145740 shows then that I have marked unrelated commit as a fix for CVE-2019-10092.

So we can perhaps proceed with new security update with apache2-CVE-2019-10092.patch extended by r1864191 changes. What do you think?

Comment 5 Alexandros Toptsoglou 2021-03-04 13:12:06 UTC

> I am surprised I see CVE-2019-10092 tag there, at least I am not used to
> find it in upstream ChangeLog at all. Anyway, bug 1145740 shows then that I
> have marked unrelated commit as a fix for CVE-2019-10092.
> 
> So we can perhaps proceed with new security update with
> apache2-CVE-2019-10092.patch extended by r1864191 changes. What do you think?

Yes let's do it like this. Thanks for investigating.

Comment 6 Petr Gajdos 2021-03-04 16:13:24 UTC

For potential testing:

httpd.conf could look like:
-----------------8<-----------------
ServerName test
User abuild
Group abuild
Listen 60080
PidFile /tmp/apache-rex/core-ErrorDocument-basic/pid
ErrorLog /tmp/apache-rex/core-ErrorDocument-basic/error_log
LoadModule auth_basic_module /usr/lib64/apache2-prefork/mod_auth_basic.so
LoadModule dir_module /usr/lib64/apache2-prefork/mod_dir.so
LoadModule authz_host_module /usr/lib64/apache2-prefork/mod_authz_host.so
LoadModule authz_core_module /usr/lib64/apache2-prefork/mod_authz_core.so
DocumentRoot /tmp/apache-rex/core-ErrorDocument-basic/htdocs
DirectoryIndex index.html

### example configuration

ErrorDocument 404 default
---------------->8------------------

$ su abuild
$ /usr/sbin/httpd -f /tmp/apache-rex/core-ErrorDocument-basic/httpd.conf
$ curl http://localhost:60080/bleble

The response should not contain not existing /bleble uri, i. e:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>

Comment 7 Petr Gajdos 2021-03-04 16:20:01 UTC

Submitted for 15,12sp2,11sp1/apache2.

I believe all fixed.

Comment 10 Swamp Workflow Management 2021-03-12 20:22:05 UTC

SUSE-SU-2021:0779-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1145740,1182703
CVE References: CVE-2019-10092
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    apache2-2.4.23-29.69.1
SUSE Linux Enterprise Server 12-SP5 (src):    apache2-2.4.23-29.69.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2021-06-17 19:20:31 UTC

SUSE-SU-2021:2004-1: An update that solves 6 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1145740,1180530,1182703,1186922,1186923,1186924,1187017,1187174
CVE References: CVE-2019-10092,CVE-2020-35452,CVE-2021-26690,CVE-2021-26691,CVE-2021-30641,CVE-2021-31618
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    apache2-2.4.33-3.50.1
SUSE Manager Retail Branch Server 4.0 (src):    apache2-2.4.33-3.50.1
SUSE Manager Proxy 4.0 (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise Server for SAP 15 (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise Server 15-LTSS (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    apache2-2.4.33-3.50.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    apache2-2.4.33-3.50.1
SUSE Enterprise Storage 6 (src):    apache2-2.4.33-3.50.1
SUSE CaaS Platform 4.0 (src):    apache2-2.4.33-3.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Marcus Meissner 2021-08-09 12:33:45 UTC

done