CVE-2002-0082
CVSS7.5
发布时间 :2002-03-15 00:00:00
修订时间 :2016-10-17 22:16:00
NMCO    

[原文]The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and Apache-SSL before 1.3.22+1.46, does not properly initialize memory using the i2d_SSL_SESSION function, which allows remote attackers to use a buffer overflow to execute arbitrary code via a large client certificate that is signed by a trusted Certificate Authority (CA), which produces a large serialized session.


[CNNVD]Apache Mod_SSL/Apache-SSL远程缓冲区溢出漏洞(CNNVD-200203-036)

        
        Mod_SSL和Apache-SSL是Apache服务器上的SSL实现,用来为Apache Web服务器提供加密支持。这个模块利用OpenSSL来完成SSL实现。
        版本低于2.8.7-1.3.23的Mod_SSL和版本低于1.3.22+1.47的Apache-SSL实现上以一种不安全方式使用OpenSSL函数,在某些条件下,可能导致缓冲区溢出,远程攻击者可能对服务器程序实施拒绝服务攻击或在主机上执行任意指令。
        在启用SSL会话缓存后,mod_ssl会对SSL会话变量进行排序和存储,以便日后使用。Mod_SSL在实现'shm'或'dbm'会话缓存机制时调用了OpenSSL的i2d_SSL_SESSION函数,OpenSSL要求在调用该函数时必须为其分配足够大小的内存以保存数据。但是由于Mod_SSL没有按照正确的方式进行调用,Mod_SSL在处理连续会话时可能导致一个静态缓冲区发生溢出。
        要利用这个漏洞,攻击者必须想办法增加代表会话的数据的长度,这就要通过在客户端指定超大的证书实现。这个漏洞需要服务器打开对客户端证书的认证并且客户端证书是经由一个Web服务器程序信任的CA的认证的情况下才能被利用。尽管漏洞难以被利用,我们仍然建议管理员尽快升级以避免潜在的危险。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:apache-ssl:apache-ssl:1.44
cpe:/a:apache-ssl:apache-ssl:1.46
cpe:/a:apache-ssl:apache-ssl:1.45
cpe:/a:mod_ssl:mod_ssl:2.8.3
cpe:/a:mod_ssl:mod_ssl:2.8.2
cpe:/a:mod_ssl:mod_ssl:2.8.5
cpe:/a:mod_ssl:mod_ssl:2.8.4
cpe:/a:apache-ssl:apache-ssl:1.40
cpe:/a:apache-ssl:apache-ssl:1.42
cpe:/a:mod_ssl:mod_ssl:2.8.1
cpe:/a:apache-ssl:apache-ssl:1.41
cpe:/a:mod_ssl:mod_ssl:2.7.1
cpe:/a:mod_ssl:mod_ssl:2.8
cpe:/a:mod_ssl:mod_ssl:2.8.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0082
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200203-036
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000465
(UNKNOWN)  CONECTIVA  CLA-2002:465
http://ftp.support.compaq.com/patches/.new/html/SSRT0817.shtml
(UNKNOWN)  COMPAQ  SSRT0817
http://marc.info/?l=bugtraq&m=101518491916936&w=2
(UNKNOWN)  BUGTRAQ  20020301 Apache-SSL buffer overflow (fix available)
http://marc.info/?l=bugtraq&m=101528358424306&w=2
(UNKNOWN)  BUGTRAQ  20020304 Apache-SSL 1.3.22+1.47 - update to security fix
http://online.securityfocus.com/archive/1/258646
(UNKNOWN)  BUGTRAQ  20020227 mod_ssl Buffer Overflow Condition (Update Available)
http://www.apacheweek.com/issues/02-03-01#security
(UNKNOWN)  CONFIRM  http://www.apacheweek.com/issues/02-03-01#security
http://www.calderasystems.com/support/security/advisories/CSSA-2002-011.0.txt
(UNKNOWN)  CALDERA  CSSA-2002-011.0
http://www.debian.org/security/2002/dsa-120
(UNKNOWN)  DEBIAN  DSA-120
http://www.iss.net/security_center/static/8308.php
(VENDOR_ADVISORY)  XF  apache-modssl-bo(8308)
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-020.php
(UNKNOWN)  MANDRAKE  MDKSA-2002:020
http://www.linuxsecurity.com/advisories/other_advisory-1923.html
(UNKNOWN)  ENGARDE  ESA-20020301-005
http://www.redhat.com/support/errata/RHSA-2002-041.html
(UNKNOWN)  REDHAT  RHSA-2002:041
http://www.redhat.com/support/errata/RHSA-2002-042.html
(UNKNOWN)  REDHAT  RHSA-2002:042
http://www.redhat.com/support/errata/RHSA-2002-045.html
(UNKNOWN)  REDHAT  RHSA-2002:045
http://www.securityfocus.com/advisories/3965
(UNKNOWN)  HP  HPSBTL0203-031
http://www.securityfocus.com/advisories/4008
(UNKNOWN)  HP  HPSBUX0204-190
http://www.securityfocus.com/bid/4189
(UNKNOWN)  BID  4189

- 漏洞信息

Apache Mod_SSL/Apache-SSL远程缓冲区溢出漏洞
高危 边界条件错误
2002-03-15 00:00:00 2005-05-02 00:00:00
远程  
        
        Mod_SSL和Apache-SSL是Apache服务器上的SSL实现,用来为Apache Web服务器提供加密支持。这个模块利用OpenSSL来完成SSL实现。
        版本低于2.8.7-1.3.23的Mod_SSL和版本低于1.3.22+1.47的Apache-SSL实现上以一种不安全方式使用OpenSSL函数,在某些条件下,可能导致缓冲区溢出,远程攻击者可能对服务器程序实施拒绝服务攻击或在主机上执行任意指令。
        在启用SSL会话缓存后,mod_ssl会对SSL会话变量进行排序和存储,以便日后使用。Mod_SSL在实现'shm'或'dbm'会话缓存机制时调用了OpenSSL的i2d_SSL_SESSION函数,OpenSSL要求在调用该函数时必须为其分配足够大小的内存以保存数据。但是由于Mod_SSL没有按照正确的方式进行调用,Mod_SSL在处理连续会话时可能导致一个静态缓冲区发生溢出。
        要利用这个漏洞,攻击者必须想办法增加代表会话的数据的长度,这就要通过在客户端指定超大的证书实现。这个漏洞需要服务器打开对客户端证书的认证并且客户端证书是经由一个Web服务器程序信任的CA的认证的情况下才能被利用。尽管漏洞难以被利用,我们仍然建议管理员尽快升级以避免潜在的危险。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 不要使用有漏洞的mod_ssl。
        厂商补丁:
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2002:465)以及相应补丁:
        CLA-2002:465:Buffer overflow in the mod_ssl module used by apache
        链接:
        http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000465

        补丁下载:
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/apache-1.3.22-1U50_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/apache-1.3.22-1U50_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/apache-devel-1.3.22-1U50_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/apache-doc-1.3.22-1U50_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/apache-1.3.22-1U51_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/apache-1.3.22-1U51_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/apache-doc-1.3.22-1U51_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/apache-devel-1.3.22-1U51_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/apache-1.3.22-1U60_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/apache-1.3.22-1U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/apache-devel-1.3.22-1U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/apache-doc-1.3.22-1U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/apache-1.3.22-1U70_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-1.3.22-1U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-devel-1.3.22-1U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-doc-1.3.22-1U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/apache-1.3.22-1U50_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/apache-1.3.22-1U50_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/apache-devel-1.3.22-1U50_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/apache-doc-1.3.22-1U50_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/apache-1.3.22-1U50_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/apache-1.3.22-1U50_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/apache-devel-1.3.22-1U50_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/apache-doc-1.3.22-1U50_3cl.i386.rpm
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-120-1)以及相应补丁:
        DSA-120-1:New mod_ssl and Apache/SSL packages fix buffer overflow
        链接:
        http://www.debian.org/security/2002/dsa-120

        补丁下载:
        Debian GNU/Linux 2.2 alias potato
        - ------------------------------------
         Source archives:
        
        http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13-4.diff.gz

        
        http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13-4.dsc

        
        http://security.debian.org/dists/stable/updates/main/source//apache-ssl_1.3.9.13.orig.tar.gz

        
        http://security.debian.org/dists/stable/updates/main/source/libapache-mod-ssl_2.4.10-1.3.9-1potato1.diff.gz

        
        http://security.debian.org/dists/stable/updates/main/source/libapache-mod-ssl_2.4.10-1.3.9-1potato1.dsc

        
        http://security.debian.org/dists/stable/updates/main/source/libapache-mod-ssl_2.4.10-1.3.9.orig.tar.gz

         Architecture independent components:
        
        http://security.debian.org/dists/stable/updates/main/binary-all/libapache-mod-ssl-doc_2.4.10-1.3.9-1potato1_all.deb

         Alpha architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-ssl_1.3.9.13-4_alpha.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/libapache-mod-ssl_2.4.10-1.3.9-1potato1_alpha.deb

         ARM architecture:
        

- 漏洞信息

756
Apache HTTP Server mod_ssl i2d_SSL_SESSION Function SSL Client Certificate Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2002-02-27 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站