CVE Reference: CAN-2005-1268 (Links to External Site) Date: Jul 26 2005 Impact: Execution of arbitrary code via network, User access via network Fix Available: Yes Vendor Confirmed: Yes Description: A vulnerability was reported in Apache mod_ssl in the processing of certificate revocation lists (CRLs). A remote user may be able to cause arbitrary code to be executed. A remote user can create a specially crafted CRL that, when processed by the Apache mod_ssl callback function, will trigger an off-by-one buffer overflow. Arbitrary code may be executed. The vulnerability can be triggered when printing CRL information at the 'debug' LogLevel. Marc Stern from CSC is credited with discovering this vulnerability. Impact: A remote user may be able to cause Apache to execute arbitrary code in certain situations. Solution: The vendor has issued a source code fix, available via SVN.
Apache please advise
Advisory talks about SVN, it's here: http://svn.apache.org/viewcvs.cgi?rev=179781&view=rev --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c 2005/04/19 20:02:09 161958 +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c 2005/06/03 12:54:53 179781 @@ -1408,7 +1408,7 @@ BIO_printf(bio, ", nextUpdate: "); ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl)); - n = BIO_read(bio, buff, sizeof(buff)); + n = BIO_read(bio, buff, sizeof(buff) - 1); buff[n] = '\0'; BIO_free(bio);
This one is very lame. Not sure we should consider it a vulnerability.
Apache do you agree?
=========================================================== Ubuntu Security Notice USN-160-1 August 04, 2005 apache2 vulnerabilities [...] Marc Stern discovered a buffer overflow in the SSL module's certificate revocation list (CRL) handler. If Apache is configured to use a malicious CRL, this could possibly lead to a server crash or arbitrary code execution with the privileges of the Apache web server. (CAN-2005-1268) =========================================================== I am still to be convinced.
Examining the patch provided suggests that despite the description this is definitely not exploitable to execute arbitrary code, simply cause a denial of service. As the server must be in debug mode and configured to accept a malicious CRL we consider this highly unlikely to ever affect any users. Closing this security bug, the fix will filter down from upstream. If anyone disagrees, please REOPEN.