First Last Prev Next    This bug is not in your last search results.
Bug 987365 - (CVE-2016-4979) VUL-0: CVE-2016-4979: apache2: X509 Client certificate based authentication can be bypassed when HTTP/2 is used
(CVE-2016-4979)
VUL-0: CVE-2016-4979: apache2: X509 Client certificate based authentication c...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Major
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-01 13:58 UTC by Andreas Stieger
Modified: 2016-07-12 12:00 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
trunk patch (1.51 KB, patch)
2016-07-01 14:20 UTC, Andreas Stieger 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Andreas Stieger 2016-07-01 14:20:16 UTC 
Created attachment 682827 [details]
trunk patch

Attached trunk patch.
Comment 4 Andreas Stieger 2016-07-01 14:23:46 UTC 
openSUSE 13.2		2.4.10 not affected
openSUSE Leap 42.1	2.4.16 not affected
openSUSE Tumbleweed	2.4.20 affected - built with mod_http2

Apache/apache2 version update will suffice.
Comment 5 Andreas Stieger 2016-07-05 13:41:07 UTC 
          Security Advisory - Apache Software Foundation
                Apache HTTPD WebServer  / httpd.apache.org

	X509 Client certificate based authentication can
           be bypassed when HTTP/2 is used

                   CVE-2016-4979 / CVSS 7.5

The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509
client certificate correctly when experimental module for the HTTP/2
protocol is used to access a resource.

The net result is that a resource that should require a valid client certificate
in order to get access can be accessed without that credential.

Background:
-----------

Apache can control access to resources based on various things; such as
a password, IP address and so on. One of the options, when SSL or TLS is
used, is gating access based on the client having access to a private-key of
a X509 client certificate. These client certificates are typically held on
a chipcard (e.g. the CAC card in the US, national identity, banking cards
or, for example, medical-chip cards in Europe). In some cases they
are 'soft tokens' - i.e. files, often called PKCS#12 files, which are loaded
into the browser or the 'keychain'.

Gating access based on a client certificate is done by adding a line such as

	SSLVerifyClient require

to the httpd configuration; along with a list of trusted client certificate
authorities (SSLCACertificateFile).

Version 2.4.17 of the Apache HTTP Server introduced an experimental feature:
mod_http2 for the HTTP/2 protocol (RFC7540, previous versions were known as
Google SPDY).

This module is NOT compiled in by default -and- is not enabled by default,
although some distribution may have chosen to do so.

It is generally needs to be enabled in the 'Protocols' line in httpd by
adding 'h2' and/or 'h2c' to the 'http/1.1' only default.

The default distributions of the Apache Software Foundation do not include
this experimental feature.

Details:
--------

From version 2.4.18, upto and including version 2.4.20 the server failed
to take the (failed/absent) client certificate validation into account
when providing access to a resource over HTTP/2. This issue has been fixed
in version 2.4.23 (r1750779).

As a result - a resource thought to be secure and requiring a valid
client certificate - would be accessible without authentication
provided that the mod_http2 was loaded, h2 or h2c activated, that
that the browser used the HTTP/2 protocol and it would do more than
one request over a given connection.

Impact:
-------

A third party can gain access to resources on the web server without
the requisite credentials.

This can then lead to unauthorised disclosure of information.

Versions affected:
------------------
All versions from  2.4.18 to  2.4.20. The issue is fixed in
version 2.4.23 (released 2015-6-5)

Resolution:
-----------

Upgrade to version 2.4.23 or newer.

Mitigations and work arounds:
-----------------------------

As a temporary workaround - HTTP/2 can be disabled by changing
the configuration by removing h2 and h2c from the Protocols
line(s) in the configuration file.

The resulting line should read:

		Protocols http/1.1

Credits and timeline
--------------------

The flaw was found and reported by Erki Aring <erki@example.ee>
from Liewenthal Electronics Ltd on 2016-06-30. The issue was
resolved by Stefan Eissing that same day and incorporated in
the  release of 5th of July 2015 (thus avoiding a bank holiday).

Apache would like to thank all involved for their help with this.

Common Vulnerability Scoring (Version 3) and vector
---------------------------------------------------

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C

CVSS Base Score         7.5
CVSS Temporal Score     7.0

1.05 / : 2339 $
Comment 6 Andreas Stieger 2016-07-05 13:42:56 UTC 
2.4.23 code is released: http://www.apache.org/dist/httpd/Announcement2.4.html
Vulnerability details remain embargoed.
Comment 7 Andreas Stieger 2016-07-05 17:41:25 UTC 
public at http://seclists.org/oss-sec/2016/q3/12
Comment 8 Marcus Meissner 2016-07-05 20:00:16 UTC 
SLES 12 SP2 is affected, you might still be able to rev the minor version
Comment 9 Cristian Rodríguez 2016-07-06 16:21:00 UTC 
fixed in tumbleweed.. SR#406993
Comment 10 Kristyna Streitova 2016-07-11 11:28:16 UTC 
SLE-12-SP2: apache2 was updated to 2.4.23 (sr#117502).

It seems that we are done here. Reassigning back to the security team.
Comment 11 Andreas Stieger 2016-07-11 11:32:56 UTC 
Closing
First Last Prev Next    This bug is not in your last search results.