Optionsbleed: Heartbleed’s Less Threatening Cousin

Heartbleed is a vulnerability with a feature in OpenSSL, a software application used to establish secure communications over computer networks, known as heartbeat in 2014. This vulnerability affected the Transport Layer Socket (TLS) and Datagram Transport Layer Security (DTLS) in OpenSSL version 1.0.1. This vulnerability allowed attackers to remotely receive confidential information, such as a secret encryption key, from a crafted packed that caused a buffer over-read. Recently, a vulnerability related to Heartbleed was published on September 18 by freelance cybersecurity researcher Hanno Böck. He discovered a vulnerability in Apache HTTP Server, commonly referred to as httpd, which could cause sensitive information to be leaked through memory contents. For this reason, Böck has dubbed this vulnerability Optionsbleed.

Optionsbleed

Optionsbleed is a vulnerability with Apache HTTP Server that is tracked as CVE-2017-9798. A flaw in Apache’s httpd .htaccess and httpd.conf file, files that configure the OPTIONS setting in a web request, allows a remote attacker to intercept confidential information passing through process memory. This vulnerability is triggered when a “Limit” directive is incorrectly configured in either of the two configuration files. These Limit configurations could be configured to allow or deny web requests for GET, POST, PUT, PATCH, DELETE, HEAD, and TRACE. The problem with the software code for this is that a misspelled word, duplicate valid option, non-existent option is inputted into the configuration file, then the system becomes susceptible to memory leaking.

Affected Systems

The good news about Optionsbleed is there are very few systems that are exposed to sensitive information exposure from the Apache httpd vulnerability. According to the CVE-2017-9798 page, Apache httpd versions 2.2.34 and 2.4.x through 2.4.27 are susceptible to the Optionsbleed vulnerability. Böck conducted an analysis of around 1,000,000 web servers, around 400,000 of which were running Apache, and discovered that there were around 450 web servers that shared OptionBleed characteristics. Another interesting finding Böck discovered is that an attacker could configure their own .htaccess or httpd.conf file to cause a memory leak on a vulnerable web server that is hosting the domain they are using by constantly revisiting the domain to see what kind of sensitive information is fished out. Böck has also released source code on GitHub for end-users to test if an Optionsbleed bug is present in a server running Apache httpd.

Unofficial Patch

At the time of this post, Apache has not officially released a patch, or when they plan on creating one, to address the Optionsbleed vulnerability. However, an unofficial patch is provided on Apaches’ source code servers, which appears to have been created on September 8. Nessus also suggests running the commands “‘yum update httpd24′” and “‘yup update httpd'” on the server to patch the vulnerability as well. If an end-user would prefer to patch this vulnerability themselves or do not trust the unofficial patch, they could also manually search their .htaccess or httpd.conf files for spelling errors, invalid options, or duplicate settings inside of the Limit statement.

Sources

Optionsbleed CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798

Optionsbleed Article:

http://www.securityweek.com/optionsbleed-flaw-causes-apache-leak-data

Böck Analysis:

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Sophos Analysis:

http://nakedsecurity.sophos.com/2017/09/19/apache-optionsbleed-vulnerability-what-you-need-to-know/

GitHub POC:

https://github.com/hannob/optionsbleed

Open Source Patch:

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

Nessus Suggestion:

https://www.tenable.com/plugins/index.php?view=single&id=103309