OptionsBleed – The Apache HTTP Server Now Bleeds

A new vulnerability in the Apache HTTP server was found recently. Designated as CVE-2017-9798, this vulnerability lies in how Apache handles certain settings in its configuration files, resulting in memory leaks. This vulnerability is named OptionsBleed, based on its similarities with the Heartbleed vulnerability. Patches to Apache are now available.

What is OptionsBleed?

A use-after-free bug exists in the Apache HTTP Server when it handles certain settings in .htaccess configuration file(s). When an attacker sends an unauthenticated HTTP request with the OPTIONS method to a vulnerable Apache server, the server reveals some secret data from the memory in response to the request.

The following screenshot shows a typical response for an OPTIONS request from a vulnerable Apache HTTP Server. The highlighted part is the information leaked from the memory:

Figure 1. Memory leak resulting from OPTIONS request

As per Hanno Böck (the researcher who found this vulnerability) and Apache developer Jacob Champion, Apache supports a configuration directive Limit that restricts access to certain HTTP methods to specific users. If one sets this directive in a .htaccess file for an HTTP method that’s not globally registered with the server, the corruption occurs. We were able to reproduce this vulnerability when the value for Limit directive is set to an invalid (or custom) HTTP method in the .htaccess file.

While doing further debugging, we noticed that the OPTIONS method is not needed to exploit this bug. Any HTTP request that forces the server to send an Allow header in the response can be used to trigger the vulnerability.

One common example of this is the 501 Method Not Implemented response to a request with an unknown HTTP method. As shown in the screenshot below, when a non-vulnerable Apache HTTP Server receives an HTTP Request with an unknown method, it responds with HTTP Status code 501 and the response will have the Allow header with a list of HTTP methods supported by the server.

Figure 2. Correct HTTP 501 response

With a vulnerable server and a misconfigured .htaccess file, the same HTTP Request with an unknown method will leak parts of data from process memory in the Allow response header, as shown below.

Figure 3. Memory leak resulting from a misconfigured .htaccess file

How serious it is?

In general, .htaccess files provide a way to make configuration changes on a per-directory basis instead of using the main server configuration file.

The official Apache HowTo Guide for .htaccess file says:

You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.

Looking at the above guidelines and considering the necessary pre-conditions, OptionsBleed doesn’t appear to be a critical bug.

However, when a user does not have access to the main server configuration file, the .htaccess file can be used to set configurations specific to your website. This will be the case in typical shared web hosting environments, where ISPs do not share root access to the server system and the main server configuration file.

An attacker using a shared host can maliciously craft a .htaccess file for his own website and, use the vulnerability to try to collect the memory leaks. This may contain sensitive data from any other co-hosted websites. Shared hosting is commonly used by many site owners with limited requirements; OptionsBleed puts those users at risk.

Both the 2.2.x (up to 2.2.34) and the 2.4.x branches (up to 2.4.27) are affected by this vulnerability. Patches have already been released by many Linux distributions to cover this flaw, and we recommend that system administrators do so if they haven’t already.

Conclusion

Deep Security customers can use the following DPI Rule to configure allowed HTTP methods in their environment and restrict the possibility of data leak through requests with unknown HTTP methods.

1002593 – Allow HTTP (Including WebDAV) Methods

System administrators should upgrade their installed versions of Apache HTTP Servers and disable the use of .htaccess files, if possible. Site owners without access to these directly and reliant on their ISPs should prod these service providers to upgrade as well.

TippingPoint has posted a Customer Shield Writer (CSW) file for this vulnerability that are available for customers to download on TMC. The applicable rule is as follows: