Attack on Apache server exposes firewalls, routers and more

Reverse proxy bug may haunt rival webservers, too


Maintainers of the open-source Apache webserver are warning that their HTTP daemon is vulnerable to exploits that expose internal servers to remote attackers who embed special commands in website addresses.

The weakness in 1.3 and all 2.x versions of the Apache HTTP Server can be exploited only under certain conditions. For one, they must be running in reverse proxy mode, a setting often used to perform load balancing or to separate static content from dynamic content. And even then, internal systems are susceptible to unauthorized access only when certain types of reverse proxy rewrite rules are used.

Nonetheless, the vulnerable reverse proxy configurations are common enough that Apache maintainers issued an advisory on Wednesday recommending users examine their systems to make sure they're not at risk.

"When using the RewriteRule or ProxyPassMatch directives to configure a reverse proxy using a pattern match, it is possible to inadvertently expose internal servers to remote users who send carefully crafted requests," the advisory stated. "The server did not validate that the input to the pattern match was a valid path string, so a pattern could expand to an unintended target URL."

The vulnerability was reported by Context Information Security, an information security consultancy with offices in London, among other cities. In a blog post, researchers with the company said the weakness can be exploited to gain unauthorized access to a highly sensitive DMZ, or "demilitarized zone" resources inside an organization that should be available only to validated users.

"We can access any internal/DMZ system which the proxy can access including administration interfaces on firewalls, routers, web servers, databases etc.," they wrote. "Context has had plenty of success with this attack where credentials are weak on the internal systems allowing for full network compromise e.g. uploading Trojan WAR files on to JBoss servers."

In a press release, Context said the researchers believe other webservers and proxies may be susceptible to similar exploits.

Apache issued a patch for those who compile their own installations of the webserver. It wouldn't be surprising to see Linux distributions release their own security updates in the next few days. Apache's advisory also contains suggestions for writing proxy rules that prevent the attack from working.

Adding a simple forward slash to certain configurations, for example, will go a long way to protecting sensitive systems. The line is "RewriteRule (.*)\.(jpg|gif|png)" could expose internal servers, while the line "RewriteRule /(.*)\.(jpg|gif|png)" (note the extra "/") will ensure they remain protected.

Security researcher Dan Rosenberg echoed the warning that the damage resulting from a poorly configured proxy server could be catastrophic and that the risk could extend well beyond those who use Apache.

"In the worst case, this could result in a remote attacker being able to read sensitive contents from internal web resources," he wrote in an email. "I wouldn't be *too* surprised if reverse proxy mechanisms in other web servers are affected, but the bug is fairly implementation specific, so there's no way to know without testing." ®


Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022