search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Buffer Overflow in mod_ssl

Vulnerability Note VU#104555

Original Release Date: 2003-04-17 | Last Revised: 2003-06-17

Overview

A buffer overflow exists in mod_ssl.

Description

mod_ssl is an Apache module that allows secure connections over X.509 authenticated channels. A buffer overflow exists in the ssl_compat_directive() function. For more detailed information, please see the original vulnerability report.

Impact

A local attacker can execute arbitrary code with the privileges of the web server. Additionally, an attacker may be able to add bogus entries to multiple web server log files. An attacker may also be able to slow down or even stop the web server.

Solution

Apply a patch from your vendor.

Do not allow per-directory config files. To accomplish this, set the AllowOverride directive to "none" in the httpd.conf file. As a reminder, you must restart the web server for the changes to take effect.

Vendor Information

104555
 
Affected   Unknown   Unaffected

Apple Computer Inc.

Updated:  April 30, 2003

Status

  Vulnerable

Vendor Statement

This is fixed in Security Update 2002-08-02. Further information is available from:

http://docs.info.apple.com/article.html?artnum=61798

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Updated:  July 08, 2002

Status

  Vulnerable

Vendor Statement

Please see http://lwn.net/Articles/3951/.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Updated:  April 30, 2003

Status

  Vulnerable

Vendor Statement

This vulnerability was fixed in DSA-135 (02 Jul 2002):

http://www.debian.org/security/2002/dsa-135

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde

Updated:  April 17, 2003

Status

  Vulnerable

Vendor Statement

http://mail-archives.engardelinux.org/engarde-users/2002/Jul/0009.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Updated:  April 17, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.securityfocus.com/advisories/4298.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Updated:  June 17, 2003

Status

  Vulnerable

Vendor Statement

The AIX operating system does not ship with mod_ssl. However, mod_ssl is available for installation on AIX from the Linux Affinity Toolbox.

Users using mod_ssl 2.8.10 are later are not vulnerable to the issues discussed in CERT Vulnerability Note VU#104555 and any advisories which follow.

This vulnerability is present in mod_ssl 2.8.9 and earlier; users are urged to upgrade as soon as possible.

The Linux Affinity Toolbox is available at:

http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

This software is offered on an "as-is" and is unwarranted.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Updated:  April 30, 2003

Status

  Vulnerable

Vendor Statement

A number of Red Hat products included mod_ssl packages vulnerable to this issue. Updated packages are available along with our advisories at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.

Red Hat Linux:
http://rhn.redhat.com/errata/RHSA-2002-134.html
Red Hat Enterprise Linux:
http://rhn.redhat.com/errata/RHSA-2002-136.html
Stronghold 3:
http://rhn.redhat.com/errata/RHSA-2002-164.html
Stronghold 4 (cross-platform):
http://rhn.redhat.com/errata/RHSA-2002-146.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO

Updated:  April 17, 2003

Status

  Vulnerable

Vendor Statement

ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31/CSSA-2002-SCO.31.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The mod_ssl project

Updated:  July 08, 2002

Status

  Vulnerable

Vendor Statement

Please see http://www.mail-archive.com/modssl-users@modssl.org/msg14451.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Extreme Networks

Updated:  May 01, 2003

Status

  Not Vulnerable

Vendor Statement

Extreme Networks software suite is not vulnerable to the attack explained in VU#10455, as it does not include the Webserver implementation from Apache. Investigation and testing by Extreme Network engineering reveals the current Webserver implementation in Extreme Networks software suite is not vulnerable to the attack explained in VU#104555.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Foundry Networks Inc.

Updated:  May 07, 2003

Status

  Not Vulnerable

Vendor Statement

Foundry Networks has tested for this vulnerability and is not affected by the buffer overflow in mod_ssl as described in VU#104555.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Updated:  May 08, 2003

Status

  Not Vulnerable

Vendor Statement

Hitachi Web Server is NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks

Updated:  May 02, 2003

Status

  Not Vulnerable

Vendor Statement

Ingrian Networks products are not vulnerable to VU#104555.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Updated:  April 30, 2003

Status

  Not Vulnerable

Vendor Statement

The mod_ssl that SGI just started shipping as a supported offering, in IRIX 6.5.20, is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xerox Corporation

Updated:  May 30, 2003

Status

  Not Vulnerable

Vendor Statement

A response to this vulnerability is available from our web site: http://www.xerox.com/security.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NeXT

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Updated:  May 08, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was discovered by Frank Denis.

This document was written by Ian A Finlay.

Other Information

CVE IDs: CVE-2002-0653
Severity Metric: 23.63
Date Public: 2002-06-24
Date First Published: 2003-04-17
Date Last Updated: 2003-06-17 16:38 UTC
Document Revision: 34

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.