CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

Jacob Champion-3
CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.0 to 2.2.32
httpd 2.4.0 to 2.4.25

Description:
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.

Mitigation:
2.2.x users should either apply the patch available at
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch
or upgrade in the future to 2.2.33, which is currently unreleased.

2.4.x users should upgrade to 2.4.26.

Third-party module writers SHOULD use ap_get_basic_auth_components(),
available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().
Modules which call the legacy ap_get_basic_auth_pw() during the
authentication phase MUST either immediately authenticate the user after
the call, or else stop the request immediately with an error response,
to avoid incorrectly authenticating the current request.

Credit:
The Apache HTTP Server security team would like to thank Emmanuel
Dreyfus for reporting this issue.

References:
https://httpd.apache.org/security_report.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

William A Rowe Jr
Not to announce@httpd? users@ and dev@ aren't particularly
broadcast channels.

[hidden email] might be too wide an audience, but that's why
we document the CVE's with short notes in the foundation-wide
release announcement. At least, used to document them.


On Mon, Jun 19, 2017 at 5:08 PM, Jacob Champion <[hidden email]> wrote:

> CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> httpd 2.2.0 to 2.2.32
> httpd 2.4.0 to 2.4.25
>
> Description:
> Use of the ap_get_basic_auth_pw() by third-party modules outside of the
> authentication phase may lead to authentication requirements being
> bypassed.
>
> Mitigation:
> 2.2.x users should either apply the patch available at
> https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch
> or upgrade in the future to 2.2.33, which is currently unreleased.
>
> 2.4.x users should upgrade to 2.4.26.
>
> Third-party module writers SHOULD use ap_get_basic_auth_components(),
> available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().
> Modules which call the legacy ap_get_basic_auth_pw() during the
> authentication phase MUST either immediately authenticate the user after
> the call, or else stop the request immediately with an error response,
> to avoid incorrectly authenticating the current request.
>
> Credit:
> The Apache HTTP Server security team would like to thank Emmanuel
> Dreyfus for reporting this issue.
>
> References:
> https://httpd.apache.org/security_report.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

Jacob Champion-2
On 06/19/2017 03:35 PM, William A Rowe Jr wrote:
> Not to announce@httpd? users@ and dev@ aren't particularly
> broadcast channels.
>
> [hidden email] might be too wide an audience, but that's why
> we document the CVE's with short notes in the foundation-wide
> release announcement. At least, used to document them.

I was following Jim's lead on the first CVE announcement. I'm not
opposed to a [SECURITY] announcement for all five; just timid. :)

Any opposed to me copying all five to announce@httpd?

--Jacob
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

William A Rowe Jr
On Mon, Jun 19, 2017 at 5:41 PM, Jacob Champion <[hidden email]> wrote:

> On 06/19/2017 03:35 PM, William A Rowe Jr wrote:
>>
>> Not to announce@httpd? users@ and dev@ aren't particularly
>> broadcast channels.
>>
>> [hidden email] might be too wide an audience, but that's why
>> we document the CVE's with short notes in the foundation-wide
>> release announcement. At least, used to document them.
>
>
> I was following Jim's lead on the first CVE announcement. I'm not opposed to
> a [SECURITY] announcement for all five; just timid. :)
>
> Any opposed to me copying all five to announce@httpd?

None at all, I have moderation and will push it on.

Just FYI you must always send-from your @apache.org identity
when pushing mail to any announce@ list, because all other posts
are pre-filtered before moderation.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

Jacob Champion-2
On 06/19/2017 03:44 PM, William A Rowe Jr wrote:
> None at all, I have moderation and will push it on.
They are on their way over to you. Thanks for the suggestion.

--Jacob
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

William A Rowe Jr
On Mon, Jun 19, 2017 at 5:49 PM, Jacob Champion <[hidden email]> wrote:
> On 06/19/2017 03:44 PM, William A Rowe Jr wrote:
>>
>> None at all, I have moderation and will push it on.
>
> They are on their way over to you. Thanks for the suggestion.

... and moderated. Thanks!
Loading...