Reference: CERT-EU Security Advisory 2011-0006 Title: Vulnerability on Apache HTTP server with mod_proxy exposes internal networks Version history: 06.10.2011 Initial publication Summary ======= A vulnerability [1] has been released on the Apache HTTP server in reverse-proxy mode. The vulnerability impacts httpd 1.3 all versions and httpd 2.x all versions using the mod_proxy with certain configuration of RewriteRule or ProxyPassMatch. See [1] for further details. CVE-2011-3368 [2] Potential impact ================ By sending crafted requests, the attacker may be able to connect to internal systems and applications in the impacted network. This is limited to systems that are reachable from reverse proxy, so by default potentially any system/application that is in the same LAN (eg, DMZ) or that is allowed by the filtering system. The attack may lead to access internal administration interfaces, including network devices like firewalls and routers, if they are reachable from the reverse proxy. The attacker can eventually get access to systems or applications by exploiting default or weak authentication mechanism (eg, weak passwords). CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Impact Subscore: 2.9 Exploitability Subscore: 10.0 Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Impact Type:Allows unauthorized disclosure of information What can you do? ================ Server-side: ----------- Apache has released a patch: http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/ Work-arounds: ------------ If you cannot install the patch, then these are some work-arounds that may implement: - Update the configuration of the reverse proxy as suggested in the section "Actions" of [1] to avoid the vulnerability - Ensure that any sensitive data/service is accessible via a strong authentication mechanism (eg, strong password policy) - Ensure that your network filtering devices allow your reverse proxy to access the required systems only - Ensure that your applications and administration interfaces are listening on the required interfaces of your machine or, alternatively, use tcp-wrapper to block the access - Ensure that the administration interfaces of your network devices are not unnecessarily reachable from the impacted reverse proxy What to tell your users? ======================== This vulnerability does not concern the end users. Only the system administrators need to take action. More information ================ [1] http://seclists.org/fulldisclosure/2011/Oct/232 [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3368