Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

NSM Apache Web Server mod_rewrite LDAP Protocol URL Handling Overflow

0

0

Article ID: JSA10441 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
PSN-2010-05-763
Product Affected:
This is a "zero day" issue which affects the web server in all releases of NSM software from its initial release up to, but not including, the first fixed releases stated in this notice.
Problem:
NSM products incorporate a variant of the Apache web server, and some older versions of NSM software are affected by the vulnerability described in this document. Releases of the Apache web server prior to version 2.0.59 contain an off-by-one buffer overflow vulnerability which is encountered when escaping an absolute URI scheme. The vulnerability might be exploited to gain complete control of the affected NSM product.

NSM Server does not include the Apache web server in its software distribution. NSM Server installations may or may not be vulnerable depending on what version of the Apache web server is running on the underlying platform as provided by the customer.

This issue is being tracked as PR 308831. While this PR is not viewable by customers, it can be used as a reference when discussing the issue with JTAC.
Solution:
The vulnerability was repaired by upgrading the version of software recommended below.

The issue is fixed for NSMXpress, NSM Appliance, and NSM3000 in versions 4.116699, 2008.2r1, 2009.1r1, and all subsequent releases.

As mentioned above, the web server is not included in NSM Server software, and the vulnerability, if present, will not be removed by upgrading to an unaffected version of NSM Server software. The issue can be addressed by upgrading the Apache web server on the underlying server or, if an upgrade is not possible, workarounds should be considered and applied.

Workaround:
  • Disable the mod_rewrite module in the Apache web server configuration

    Inspect the file /etc/httpd/conf/httpd.conf to find the following line:
    LoadModule rewrite_module modules/mod_rewrite.so
    
    Edit the file to insert a pound sign ("#") as the first character on that line, and then save the file.

    The result of the change might look like the second line of this example:
    LoadModule alias_module modules/mod_alias.so
    #LoadModule rewrite_module modules/mod_rewrite.so
    #LoadModule proxy_module modules/mod_proxy.so
    
    The web server must be restarted for the modification to take effect.

  • Restrict network access to the vulnerable system

    Although far less effective and much more dependent on specific customer network configurations and topologies, the threat to vulnerable NSM installations might be mitigated by restricting network access to the affected system with traffic filtering.
Implementation:
Customers are strongly encouraged to upgrade to a current, unaffected version of software. KB16765 - "In which releases are vulnerabilities fixed?" describes which releases are selected to receive fixes for vulnerabilities as per Juniper Networks' "End of Engineering" and "End of Life" support policies.

If upgrading software is not possible, not feasible, or not likely to occur for some time, then a workaround should be employed. In all cases, customers should evaluate the risks and benefits of any given workaround to ensure that it is appropriate and practical in the customer's own production environment.

How to obtain fixed software:
NSM Maintenance Releases are available at http://support.juniper.net from the "Download Software" links.

If a Maintenance Release is not adequate and access to NSM patches is needed, open a customer support case. A JTAC engineer will review your request and respond, ensuring that you will be provided with the most appropriate Patch Release for your specific situation.
CVSS Score:
7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Severity Level:
High
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found in KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories".

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search