Apache HTTP Server versions 2.4.10 to 2.4.44 vulnerable to remote IP spoofing and bluffer overflow attacks
Multiple vulnerabilities in Apache servers can be used by potential hackers to remotely trigger IP spoofing and buffer overflow attacks. Apache Server is the open-source HTTP web server for UNIX, Microsoft Windows, among other platforms, developed by Apache Foundation and used by many top websites.
Apache servers are vulnerable to as many as four vulnerabilities that can be successfully exploited for IP spoofing and buffer overflow attacks. These attacks can be used by the remote hackers to get complete control of the webserver hosted by Apache HTTP servers versions 2.4.20 to 2.4.44.
The first of the vulnerabilities is the limit error in the module od_proxy_uwsgi. This vulnerability has been issued a unique identifier, CVE-2020-11984, and has a CVSS score of 7.7/10. The flaw is known as Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) and can be used by potential hackers to remotely execute arbitrary code. Hackers can use the limit error in the Apache server module od_proxy_uwsgi and generate buffer overflows and arbitrary code execution on the target system.
Apache HTTP server running on version 2.4.32 to 2.4.44 are vulnerable to this flaw.
The second vulnerability has been issued a unique identifier, CVE-2020-11993, and has a CVSS score of 6.5/10. The flaw resides in the way Apache servers inadequately manage application resources when processing HTTP/2 requests with trace/debug enabled, causing concurrent use of memory pools. Potential hackers can exploit this flaw by sending specially crafted requests to the Apache server to launch denial of service (DoS) attacks.
Apache HTTP Server versions 2.4.20 to 2.4.43 are vulnerable to this flaw. Configuring the LogLevel of mod_http2 above “info” will mitigate this vulnerability for unpatched servers.
The next one is CVE-2020-9490 vulnerability which exists due to insufficient validation of user-provided entries when processing the Cache-Digest header in the HTTP/2 request. Remote hackers can send a specially crafted value to the Apache server for the ‘Cache-Digest’ header in an HTTP/2 request. This would result in a DoS attack and cause a crash when the server actually tries to HTTP/2 PUSH a resource afterward. The flaw affects Apache HTTP Server versions 2.4.20 to 2.4.43 and has a CVSS score of 6.5/10.
The final vulnerability in Apache servers is an input validation error and has been issued a unique identifier, CVE-2020-11985 with a CVSS score of 5.7/10. The vulnerability exists due to insufficient validation of user-supplied input in an Apache server. A remote attacker can spoof the user’s IP address when proxying using mod_remoteip and mod_rewrite. As result the fake IP address will be displayed in logs and will be passed to PHP scripts. Depending on web application functionality this vulnerability can be used to bypass authorization checks based on IP addresses.
This vulnerability affects Apache HTTP Server versions from 2.4.1 to 2.4.23. This flaw has been fixed in Apache HTTP Server 2.4.24.
Apache developers have patched all the four vulnerabilities and have asked users to update their versions to the latest version. In cases where they can’t upgrade, they have been told to use a workaround to mitigate the flaw. The Apache organization also says that they don’t have information about the vulnerabilities being exploited in the wild or becoming wormable (i.e. used in a malware)