Optionsbleed bug makes Apache HTTP Server leak data from memory

On Monday, security researcher Hanno Böck detailed a memory-leaking vulnerability in Apache HTTP Server that’s similar to the infamous OpenSSL Heartbleed bug uncovered in April 2014.

Unlike Heartbleed, Optionsbleed (as Böck dubbed it) affects a relatively limited number of servers.

Apache HTTP Server Optionsbleed

About Optionsbleed (CVE-2017-9798)

The bug affects Apache HTTP Server 2.2.x through 2.2.34 and 2.4.x through 2.4.27, and only those that sport a certain configuration in the .htaccess file.

The vulnerability is actually a use after free error that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS requests.

“The bug appears if a webmaster tries to use the ‘Limit’ directive [which allows restricting access to certain HTTP methods to a specific user] with an invalid HTTP method,” Böck explained. “This can leak pieces of arbitrary memory from the server process that may contain secrets. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.”

After scanning the Alexa Top 1 Million sites, he found only 466 hosts with corrupted Allow headers, but he says there could be more as it’s difficult to reproduce. In any case, the danger is not high as that of Heartbleed, but administrators shouldn’t ignore it.

“There’s an additional risk in shared hosting environments,” Böck pointed out. “The corruption is not limited to a single virtual host. One customer of a shared hosting provider could deliberately create an .htaccess file causing this corruption hoping to be able to extract secret data from other hosts on the same system.”

He advised admins to implement the patch as soon as possible. There’s also one available for Apache 2.2. Several Linux and Unix-like distributions have already fixed it and pushed out updates.

The issue was described three years ago

After Böck went public with his findings, researcher Sawood Alam noted that he and his colleagues discovered the same issue in 2014 and described it in a whitepaper (section 5.3), but didn’t sound the alarm as he “didn’t look into it from the security perspective at that time.”

As the team from RedTeam Pentesting noted, “Sadly they didn’t realize what they saw. Seeing and identifying a vulnerability are not the same thing. Requires an experienced eye.”