Knowledge Search


×
 

NSM Apache Web Server mod_rewrite LDAP Protocol URL Handling Overflow

  [JSA10441] Show Article Properties


Legacy Advisory Id:
PSN-2010-05-763
Product Affected:
This is a "zero day" issue which affects the web server in all releases of NSM software from its initial release up to, but not including, the first fixed releases stated in this notice.
Problem:
NSM products incorporate a variant of the Apache web server, and some older versions of NSM software are affected by the vulnerability described in this document. Releases of the Apache web server prior to version 2.0.59 contain an off-by-one buffer overflow vulnerability which is encountered when escaping an absolute URI scheme. The vulnerability might be exploited to gain complete control of the affected NSM product.

NSM Server does not include the Apache web server in its software distribution. NSM Server installations may or may not be vulnerable depending on what version of the Apache web server is running on the underlying platform as provided by the customer.

This issue is being tracked as PR 308831. While this PR is not viewable by customers, it can be used as a reference when discussing the issue with JTAC.
Solution:
The vulnerability was repaired by upgrading the version of software recommended below.

The issue is fixed for NSMXpress, NSM Appliance, and NSM3000 in versions 4.116699, 2008.2r1, 2009.1r1, and all subsequent releases.

As mentioned above, the web server is not included in NSM Server software, and the vulnerability, if present, will not be removed by upgrading to an unaffected version of NSM Server software. The issue can be addressed by upgrading the Apache web server on the underlying server or, if an upgrade is not possible, workarounds should be considered and applied.

Workaround:
  • Disable the mod_rewrite module in the Apache web server configuration

    Inspect the file /etc/httpd/conf/httpd.conf to find the following line:
    LoadModule rewrite_module modules/mod_rewrite.so
    
    Edit the file to insert a pound sign ("#") as the first character on that line, and then save the file.

    The result of the change might look like the second line of this example:
    LoadModule alias_module modules/mod_alias.so
    #LoadModule rewrite_module modules/mod_rewrite.so
    #LoadModule proxy_module modules/mod_proxy.so
    
    The web server must be restarted for the modification to take effect.

  • Restrict network access to the vulnerable system

    Although far less effective and much more dependent on specific customer network configurations and topologies, the threat to vulnerable NSM installations might be mitigated by restricting network access to the affected system with traffic filtering.
Implementation:
Customers are strongly encouraged to upgrade to a current, unaffected version of software. KB16765 - "In which releases are vulnerabilities fixed?" describes which releases are selected to receive fixes for vulnerabilities as per Juniper Networks' "End of Engineering" and "End of Life" support policies.

If upgrading software is not possible, not feasible, or not likely to occur for some time, then a workaround should be employed. In all cases, customers should evaluate the risks and benefits of any given workaround to ensure that it is appropriate and practical in the customer's own production environment.

How to obtain fixed software:
NSM Maintenance Releases are available at http://support.juniper.net from the "Download Software" links.

If a Maintenance Release is not adequate and access to NSM patches is needed, open a customer support case. A JTAC engineer will review your request and respond, ensuring that you will be provided with the most appropriate Patch Release for your specific situation.
Related Links:
CVSS Score:
7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Severity Level:
High
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found in KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories".