Vulnerabilities > CVE-2015-0253

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
apache
apple
oracle
nessus

Summary

The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI. <a href="http://cwe.mitre.org/data/definitions/476.html">CWE-476: NULL Pointer Dereference</a>

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-579.NASL
    descriptionIt was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185) Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) A NULL pointer dereference flaw was found in the way httpd generated certain error responses. A remote attacker could possibly use this flaw crash the httpd child process using a request that triggers a certain HTTP error. (CVE-2015-0253) A denial of service flaw was found in the way the mod_lua httpd module processed certain WebSocket Ping requests. A remote attacker could send a specially crafted WebSocket Ping packet that would cause the httpd child process to crash. (CVE-2015-0228)
    last seen2020-06-01
    modified2020-06-02
    plugin id85452
    published2015-08-18
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85452
    titleAmazon Linux AMI : httpd24 (ALAS-2015-579)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2015-579.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(85452);
      script_version("2.4");
      script_cvs_date("Date: 2018/04/18 15:09:35");
    
      script_cve_id("CVE-2015-0228", "CVE-2015-0253", "CVE-2015-3183", "CVE-2015-3185");
      script_xref(name:"ALAS", value:"2015-579");
    
      script_name(english:"Amazon Linux AMI : httpd24 (ALAS-2015-579)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that in httpd 2.4, the internal API function
    ap_some_auth_required() could incorrectly indicate that a request was
    authenticated even when no authentication was used. An httpd module
    using this API function could consequently allow access that should
    have been denied. (CVE-2015-3185)
    
    Multiple flaws were found in the way httpd parsed HTTP requests and
    responses using chunked transfer encoding. A remote attacker could use
    these flaws to create a specially crafted request, which httpd would
    decode differently from an HTTP proxy software in front of it,
    possibly leading to HTTP request smuggling attacks. (CVE-2015-3183)
    
    A NULL pointer dereference flaw was found in the way httpd generated
    certain error responses. A remote attacker could possibly use this
    flaw crash the httpd child process using a request that triggers a
    certain HTTP error. (CVE-2015-0253)
    
    A denial of service flaw was found in the way the mod_lua httpd module
    processed certain WebSocket Ping requests. A remote attacker could
    send a specially crafted WebSocket Ping packet that would cause the
    httpd child process to crash. (CVE-2015-0228)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2015-579.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update httpd24' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24-manual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod24_ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod24_proxy_html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod24_session");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod24_ssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/08/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"httpd24-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"httpd24-debuginfo-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"httpd24-devel-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"httpd24-manual-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"httpd24-tools-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"mod24_ldap-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"mod24_proxy_html-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"mod24_session-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"mod24_ssl-2.4.16-1.62.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd24 / httpd24-debuginfo / httpd24-devel / httpd24-manual / etc");
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_10_5.NASL
    descriptionThe remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - Apple ID OD Plug-in - AppleGraphicsControl - Bluetooth - bootp - CloudKit - CoreMedia Playback - CoreText - curl - Data Detectors Engine - Date & Time pref pane - Dictionary Application - DiskImages - dyld - FontParser - groff - ImageIO - Install Framework Legacy - IOFireWireFamily - IOGraphics - IOHIDFamily - Kernel - Libc - Libinfo - libpthread - libxml2 - libxpc - mail_cmds - Notification Center OSX - ntfs - OpenSSH - OpenSSL - perl - PostgreSQL - python - QL Office - Quartz Composer Framework - Quick Look - QuickTime 7 - SceneKit - Security - SMBClient - Speech UI - sudo - tcpdump - Text Formats - udf Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id85408
    published2015-08-17
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85408
    titleMac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2015-006.NASL
    descriptionThe remote host is running a version of Mac OS X 10.8.5 or 10.9.5 that is missing Security Update 2015-006. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - CoreText - FontParser - Libinfo - libxml2 - OpenSSL - perl - PostgreSQL - QL Office - Quartz Composer Framework - QuickTime 7 - SceneKit Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id85409
    published2015-08-17
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85409
    titleMac OS X Multiple Vulnerabilities (Security Update 2015-006)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SERVER_5_0_3.NASL
    descriptionThe remote Mac OS X host has a version of OS X Server installed that is prior to 5.0.3. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the mod_headers module that allows HTTP trailers to replace HTTP headers late during request processing. A remote attacker can exploit this to inject arbitrary headers. This can also cause some modules to function incorrectly or appear to function incorrectly. (CVE-2013-5704) - A privilege escalation vulnerability exists due to the
    last seen2020-06-01
    modified2020-06-02
    plugin id86066
    published2015-09-22
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86066
    titleMac OS X : OS X Server < 5.0.3 Multiple Vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-11689.NASL
    descriptionUpdate to new version 2.4.16. This update fixed various bugs as well as few security issues. For full changelog, see http://www.apache.org/dist/httpd/CHANGES_2.4.16 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-07-22
    plugin id84906
    published2015-07-22
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84906
    titleFedora 22 : httpd-2.4.16-1.fc22 (2015-11689)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_A12494C12AF411E586FF14DAE9D210B8.NASL
    descriptionJim Jagielski reports : CVE-2015-3183 (cve.mitre.org) core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. CVE-2015-3185 (cve.mitre.org) Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook. CVE-2015-0253 (cve.mitre.org) core: Fix a crash with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531. CVE-2015-0228 (cve.mitre.org) mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash.
    last seen2020-06-01
    modified2020-06-02
    plugin id84781
    published2015-07-16
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84781
    titleFreeBSD : apache24 -- multiple vulnerabilities (a12494c1-2af4-11e5-86ff-14dae9d210b8)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-11792.NASL
    descriptionUpdate to new version 2.4.16. This update fixed various bugs as well as few security issues. For full changelog, see http://www.apache.org/dist/httpd/CHANGES_2.4.16 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-07-30
    plugin id85092
    published2015-07-30
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85092
    titleFedora 21 : httpd-2.4.16-1.fc21 (2015-11792)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2015-198-01.NASL
    descriptionNew httpd packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id84829
    published2015-07-20
    reporterThis script is Copyright (C) 2015-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84829
    titleSlackware 14.0 / 14.1 / current : httpd (SSA:2015-198-01)
  • NASL familyWeb Servers
    NASL idAPACHE_2_4_16.NASL
    descriptionAccording to its banner, the version of Apache 2.4.x installed on the remote host is prior to 2.4.16. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the lua_websocket_read() function in the
    last seen2020-06-01
    modified2020-06-02
    plugin id84959
    published2015-07-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84959
    titleApache 2.4.x < 2.4.16 Multiple Vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-841.NASL
    descriptionThe fix for CVE-2016-8743 introduced a regression which would segfault apache workers under certain conditions (#858373), an issue similar to previously fixed CVE-2015-0253. The issue was introduced in DLA-841-1 and the associated 2.2.22-13+deb7u8 package version. For Debian 7
    last seen2020-03-17
    modified2017-03-01
    plugin id97438
    published2017-03-01
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/97438
    titleDebian DLA-841-2 : apache2 regression update

Redhat

advisories
rhsa
idRHSA-2015:1666
rpms
  • httpd24-httpd-0:2.4.12-4.el6.2
  • httpd24-httpd-0:2.4.12-6.el7.1
  • httpd24-httpd-debuginfo-0:2.4.12-4.el6.2
  • httpd24-httpd-debuginfo-0:2.4.12-6.el7.1
  • httpd24-httpd-devel-0:2.4.12-4.el6.2
  • httpd24-httpd-devel-0:2.4.12-6.el7.1
  • httpd24-httpd-manual-0:2.4.12-4.el6.2
  • httpd24-httpd-manual-0:2.4.12-6.el7.1
  • httpd24-httpd-tools-0:2.4.12-4.el6.2
  • httpd24-httpd-tools-0:2.4.12-6.el7.1
  • httpd24-mod_ldap-0:2.4.12-4.el6.2
  • httpd24-mod_ldap-0:2.4.12-6.el7.1
  • httpd24-mod_proxy_html-1:2.4.12-4.el6.2
  • httpd24-mod_proxy_html-1:2.4.12-6.el7.1
  • httpd24-mod_session-0:2.4.12-4.el6.2
  • httpd24-mod_session-0:2.4.12-6.el7.1
  • httpd24-mod_ssl-1:2.4.12-4.el6.2
  • httpd24-mod_ssl-1:2.4.12-6.el7.1

References