CVE-2020-11984: Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
Virsec Security Research Lab Vulnerability Report
The Virsec Security Research Lab, helmed by Virsec CTO, Satya Gupta, provides timely, relevant analysis about prevalent security vulnerabilities.
1.1 Vulnerability Summary
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi is vulnerable to info disclosure and possible RCE. A malicious request can easily overflow packet size by sending a small number of headers with a length that is close to the LimitRequestFieldSize default value of 8190. This can be used to trick UWSGI into parsing parts of the serialized subprocess environment as part of the POST body. An attacker might be able to leak sensitive environment variables as part of the POST body and/or strip security sensitive headers from the request. If UWSGI is explicitly configured in persistent mode (puwsgi), this can also be used to smuggle a second UWSGI request leading to remote code execution.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base score of this vulnerability is 9.8 (Critical).
1.3 Affected Version
Apache HTTP Server versions 2.4.32 to 2.4.43.
1.4 Vulnerability Attribution
As per Apache, this exploit has been discovered by Felix Wilhelm of Google Project Zero.
1.5 Risk Impact
The Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Originally designed as a replacement for the NCSA HTTP Server, it has grown to be the most popular web server on the Internet. Apache HTTP Server is a tool in the Web Servers category of a tech stack.
As per link, Apache HTTP server has 49% of the market share in webserver market. An Attacker can exploit this vulnerability and cause a memory corruption, that can lead to RCE and damage the confidentiality, integrity, and availability of any of these vulnerable servers run by these companies. Publicly available exploits are available for this vulnerability.
1.6 Virsec Security Platform (VSP) Support:
VSP-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.
1.7 Reference Links:
- https://packetstormsecurity.com/files/159009/Apache2-mod_proxy_uwsgi-Incorrect-Request-Handling.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-11984
- https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi-rce-zh.md
- https://bugs.chromium.org/p/project-zero/issues/detail?id=2030
Download the full vulnerability report to learn more about this and other important vulnerabilities.
The post CVE-2020-11984: Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE appeared first on Virsec Systems.
*** This is a Security Bloggers Network syndicated blog from Blog – Virsec Systems authored by Satya Gupta. Read the original post at: https://virsec.com/cve-2020-11984-apache-http-server-2-4-32-to-2-4-44-mod_proxy_uwsgi-info-disclosure-and-possible-rce/
