The Fuzzing Project - Comments

William A Rowe Jr: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (William A Rowe Jr) — Fri, 22 Sep 2017 17:30:37 +0200

Noel is correct with respect to blocking OPTIONS.

The other reason that blocking OPTIONS is no solution is that the corruption itself in the shared startup configuration list of supported methods still occurs on any request which parses the suspect .htaccess file (where an unrecognized method is given by accident or deliberately.) Corrupting that shared configuration data will still lead to unpredictable behavior.

Noel Whitemore: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (Noel Whitemore) — Thu, 21 Sep 2017 11:25:24 +0200

That particular module is still termed "experimental" and there's no mention in the official documentation of what the expected output should be, so you'd probably have to look at the source code to see what's going on behind the scenes. On a separate issue, deliberately limiting the OPTIONS method in the normal way (as Google appears to be doing) doesn't work because when you send a request to Google's servers you get the "HTTP/1.1 405 Method Not Allowed" message but the accepted methods are still listed on the next line of the header.

Hayden James: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (Hayden James) — Wed, 20 Sep 2017 19:36:04 +0200

cPanel has released update for this via easyapache. Esp for shared hosting using cPanel/WHM you should update asap.

--------------

SUMMARY
cPanel, Inc. has released updated RPMs for EasyApache 4 and EasyApache 3.34.17 on September 20, 2017, with a patched versions of Apache 2.2 and 2.4 to address the optionsbleed vulnerability related to CVE-2017-9798. We strongly encourage all Apache 2.2 and 2.4 users to upgrade their system and obtain the patch.

AFFECTED VERSIONS
All versions of Apache 2.4 through 2.4.27
All versions of Apache 2.2 through 2.2.34

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2017-9798 - HIGH

Apache 2.4.27-8
Patched optionsbleed vulnerability related to CVE-2017-9798

Apache 2.2.34
Patched optionsbleed vulnerability related to CVE-2017-9798

SOLUTION
cPanel, Inc. has released EasyApache 3.34.17 with updated versions of Apache 2.2 and Apache 2.4. Unless you have disabled EasyApache updates, the EasyApache application updates to the latest version when launched. Run EasyApache to rebuild your profile with the latest version of Apache.

cPanel, Inc. has released updated RPMs for EasyApache 4 on September 20, 2017, with an updated versions of Apache 2.4. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM's Run System Update interface.

William A Rowe Jr: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (William A Rowe Jr) — Wed, 20 Sep 2017 16:36:53 +0200

(The eaten .htaccess example I offered was...)
-LT- Limit POST DELETE TWO -GT-

William A Rowe Jr: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (William A Rowe Jr) — Wed, 20 Sep 2017 16:35:09 +0200

Note that the new Apache directive RegisterHttpMethod lets you pre-define unusual method strings to avoid this defect.

in the httpd.conf global/startup config;
RegisterHttpMethod ONE TWO THREE

in the .htaccess files;

or similar. If you grant untrusted users .htaccess editing permission, you are always opening up the possibility of malicious configuration.

Colin Watson: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (Colin Watson) — Wed, 20 Sep 2017 14:45:26 +0200

I've just deployed the fix for the minor launchpad.net bug identified as part of this.

(I wonder if I'm the only one who thinks "hmm, bug report from Hanno; I wonder what interesting widespread problem they're researching"?)

JoeRandomHacker: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (JoeRandomHacker) — Wed, 20 Sep 2017 13:11:47 +0200

No, this is only about apache httpd, not about other projects of the apache foundation like tomcat.

Manju: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (Manju) — Wed, 20 Sep 2017 04:57:28 +0200

Does this vulnerability affects Apache Tomcat 8.5 versions?

JoeRandomHacker: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (JoeRandomHacker) — Tue, 19 Sep 2017 18:05:53 +0200

RewriteEngine On
RewriteCond %{REQUEST_METHOD} !(GET|POST)
RewriteRule .* - [F]

Jordan: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (Jordan) — Tue, 19 Sep 2017 10:21:54 +0200

So, if I don't use the Limit directive in an htaccess file, then I'm safe from this? Is it really that commonly used? What about if it's in the global configuration?

Sawood Alam: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (Sawood Alam) — Tue, 19 Sep 2017 06:14:06 +0200

I have noted this issue in 2014 while I was working on my paper, "Support for Various HTTP Methods on the Web" (https://arxiv.org/pdf/1405.2330.pdf). My observations about this issue as well as some other problems are described in the section 5.3 of the paper. However, I didn't look into it from the security perspective at that time.

Lee: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (Lee) — Tue, 19 Sep 2017 04:36:15 +0200

Good article. Thanks! You may want to fix a few mistakes I found while reading it.

However, ASAN doesn't work "reliable"... > reliably
...so not all vulnerable hosts may have been "catched"... > caught
... you should drop everything "you do now"... > you are doing now

parseword: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (parseword) — Tue, 19 Sep 2017 03:26:32 +0200

For those who can reproduce, if you don't mind testing, I'm curious whether blocking the OPTIONS verb via mod_allowmethods works as a temporary mitigation.

In httpd.conf:
LoadModule allowmethods_module modules/mod_allowmethods.so

Inside your Directory stanzas:
#Disable unwanted methods (OPTIONS, PUT, PROPFIND, etc.)
AllowMethods GET POST HEAD

This should cause any OPTIONS request to return a status of "HTTP/1.1 405 Method Not Allowed" and emit an empty "Allow:" header. I can't reproduce the bug on any of my instances to ensure this properly scrubs the "Allow:" header, though.

easteregg: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (easteregg) — Mon, 18 Sep 2017 18:00:52 +0200

same with 2.4.25-3+deb9u2

lbiegaj: Optionsbleed - HTTP OPTIONS method can leak Apache's server memory

nospam@example.com (lbiegaj) — Mon, 18 Sep 2017 17:33:44 +0200

Seems that this blog filtered out "LIMIT GET" tags from my comment.