Apache HTTP2 Header Memory Corruption Vulnerability (CVE-2020-9490, CVE-2020-11984, CVE-2020-11993)

Posted by Author Dhiren Vaghela on Posted on

Summary

Apache, officially known as Apache HTTP Server, is an open-source and free web server software that powers most of the websites around the world. Recently, one Critical and two High severity flaws were fixed in Apache httpd 2.4.44. These flaws were tracked as CVE-2020-9490, CVE-2020-11984, and CVE-2020-11993 – out of which,  CVE-2020-9490 is the most severe one. Credit for discovering the three CVEs goes to Felix Wilhelm of Google Project Zero.

  • CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header
  • CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header
  • CVE-2020-11984: mod_proxy_uwsgi buffer overflow

Description

According to the advisory  published by Apache for CVE-2020-9490, “Apache’s mod_http2 module supports a feature called Push Diary that keeps track of all resources already pushed over a single HTTP/2 connection. To avoid unnecessary pushes on new connections, clients can initialize or replace the active Push Diary by sending a base64-encoded diary in the ‘Cache-Digest’ header.” Furthermore, “A specially crafted value for the ‘Cache-Digest’ header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards.”

For CVE-2020-11984, a possible buffer overflow in mod_proxy_uwsgi module might lead to a potential RCE.

For CVE-2020-11993, on certain traffic edge patterns, when debug was enabled for HTTP/2 module, it was observed that memory pools were used concurrently, and logging statement were made on unwanted connection resulting in memory corruption flaw.

No vulnerabilities were observed to have been exploited in the wild at the time of writing this blog.  Although it is strongly recommended to patch up Apache web servers to the latest and fixed version with appropriate permissions.

Affected Products 

  • CVE-2020-9490 and CVE-2020-11993 – Apache HTTP Server versions 2.4.20 to 2.4.43 
  • CVE-2020-11984 – Apache HTTP Server versions 2.4.32 to 2.4.43 

Advisory 

https://httpd.apache.org/security/vulnerabilities_24.html 

Mitigations: 

On unpatched servers 

  • Configuring the HTTP/2 feature via “H2Push off” will mitigate this vulnerability for unpatched servers. 
  • Configuring the LogLevel of mod_http2 above “info” will mitigate this vulnerability for unpatched servers.

Workaround/Mitigation Detection

Qualys Policy Compliance customers can evaluate workaround based on following Controls and refer to their evaluation definitions

1. 19187 Status of the ‘H2Push’ directive in the apache configuration file (Server Level)
2. 19188 The Status of the ‘LogLevel’ directive in the Apache configuration file (Server Level)

Solution 

Users are advised to update their Apache Web Server installations to the latest version Apache httpd 2.4.44. 

Detection 

Qualys customers can scan their network with QIDs 13929 and 13938 to detect vulnerable assets.  

Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities. 

References
https://httpd.apache.org/security/vulnerabilities_24.html 

https://bugs.chromium.org/p/project-zero/issues/detail?id=2030  

Leave a Reply

Your email address will not be published. Required fields are marked *