New Security Hole In Apache 2.x; Default Mac OS X Installations Shouldn't Be Affected

Apache.org had updated the Apache http server software to version 2.0.46. The new release addresses a security hole which may allow hackers to crash an Apache server using WebDAV (Web-based Distributed Authoring and Versioning, also known as Mod_DAV).

Apache is included in Mac OS X, powering Personal Web Sharing, but the version used is Apache 1.3.27, which is not susceptible to the new problem. In addition, with the consumer version of Mac OS X, Personal Web Sharing is turned off by default. Controls can be found under the Sharing control panel in System Preferences.

Apache is also the default http server included with Mac OS X Server. Versions 1.3.2x and 2.x are both included with an installation, but version 2 is disabled by default. From an Apple Knowledge Base article:

Mac OS X Server 10.2 installs Apache 2 (v 2.0.36) for evaluation purposes, in addition to the operational version of Apache 1 (v 1.3.23). By default, Apache 2 is disabled, and all Server Settings operations work correctly with Apache 1.

In Mac OS X Server, Web serving in general is also turned off by default.

For those interested in the problem that has been fixed, this is the official techno-speak from the official Apache.org announcement:

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the ninth public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.46 as compared to 2.0.45.

This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.46 addresses two security vulnerabilities:

Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in certain circumstances. This can be triggered remotely through mod_dav and possibly other mechanisms. The crash was originally reported by David Endler and was researched and fixed by Joe Orton . Specific details and an analysis of the crash will be published Friday, May 30. No more specific information is disclosed at this time, but all Apache 2.0 users are encouraged to upgrade now. [http://cve.mitre.org/cgi-bin/cvename.cgi?name="CAN-2003-0245" ]

Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were vulnerable to a denial-of-service attack on the basic authentication module, which was reported by John Hughes. A bug in the configuration scripts caused the apr_password_validate() function to be thread-unsafe on platforms with crypt_r() , including AIX and Linux. All versions of Apache 2.0 have this thread-safety problem on platforms with no crypt_r() and no thread-safe crypt() , such as Mac OS X and possibly others. When using a threaded MPM (which is not the default on these platforms), this allows remote attackers to create a denial of service which causes valid usernames and passwords for Basic Authentication to fail until Apache is restarted. We do not believe this bug could allow unauthorized users to gain access to protected resources.

Donit feel too bad if that doesnit mean too much to you. We had to put on our own Nerd-o-Vision goggles to get through it ourselves. In a nutshell, it means that the exploit can possibly result in a DOS (denial-of-service) attack succeeding against a server running the unpatched version of Apache, but that it is thought that a bad guy can not use the exploit to gain control of the server.

For those who may not know what WebDAV is and how this security announcement may affect you Security.itworld.com has an excellent article about this particular security problem. WebDAV.org gives an excellent explanation of WebDAV and what it does.