"OptionBleed" memory disclosure vulnerability in Apache

A memory disclosure vulnerability “Optionbleed” was reported on the Apache Server. This vulnerability is caused by a use-after-free bug in the httpd application. A remote attacker can send a certain crafted HTTP OPTIONS request and reveal small chunks of server memory, causing sensitive information leakage.

The cause of this vulnerability is on the .htaccess configuration file. When the Limited directive is set for a user for a HTTP method that is not globally registered in the server, then a memory corruption vulnerability is triggered. According to Hanno Bock, discoverer of this vulnerability. Below is one example of the memory leak:

 Allow: ,GET,,,POST,OPTIONS,HEAD,, Allow: POST,OPTIONS,,HEAD,:09:44 GMT Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" Allow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE 

The leaked data looks quite similar to the critical vulnerability “HeartBleed” on the OpenSSL Library in Apr 2014, although the data chunck is much smaller than HeartBleed’s 64kb. Also there is no way to distinguish normal and attack traffic, makes this attack hard to detect.

A massive on the Alaxa top 1 million websites shows that 466 servers has misconfigured the .htaccess file and sent back odd responses with an Allow header containing what appeared to be corrupted data.

Apache has officially released patches for this vulnerability:

• https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
• https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch

Now Apache server will deny the new methods appeared in .htaccess file.

We recommend Apache users upgrade their server with the latest patch as soon as possible, and also check the LIMIT section under the .htaccess to prevent the vulnerability. SonicWall has also developed the following signature to identify and stop the attacks:

• App Control 12986: “HTTP Protocol — OPTIONS”

Instructions on configuring the SonicWall App Control feature: https://www.sonicwall.com/en-us/support/knowledge-base/170505381440321

References:

1. Optionsbleed – HTTP OPTIONS method can leak Apache’s server memory, https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.