Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1050
Multiple vulnerabilities have been identified in Apache Subversion
2 May 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache Subversion
Publisher: Apache
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-2168 CVE-2016-2167
Original Bulletin:
https://subversion.apache.org/security/CVE-2016-2167-advisory.txt
https://subversion.apache.org/security/CVE-2016-2168-advisory.txt
Comment: This bulletin contains two (2) Apache security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
svnserve/sasl may authenticate users using the wrong realm
Summary:
========
svnserve, the svn:// protocol server, can optionally use the Cyrus
SASL library for authentication, integrity protection, and encryption.
Due to a programming oversight, authentication against Cyrus SASL
would permit the remote user to specify a realm string which is
a prefix of the expected realm string.
Known vulnerable:
=================
Subversion 1.9.0 to 1.9.3
Subversion 1.5.0 to 1.8.15
Only repositories served by svnserve using SASL are affected. For
a repository to be affected, both of the following must be true:
1. The output of `svnserve --version` includes the line "Cyrus SASL
authentication is available".
2. The svnserve.conf file includes "use-sasl = true" in the "[sasl]"
section.
Known fixed:
============
Subversion 1.9.4
Subversion 1.8.16
mod_dav_svn (any version) is not affected.
svnserve compiled without SASL support is not affected, regardless
of the contents of svnserve.conf files.
If the svnserve.conf file specifies 'use-sasl = false', or does not
specify 'use-sasl' at all, then the repository or svnserve instance
using that svnserve.conf file is not affected.
Details:
========
The Cyrus SASL authentication library provides a callback for
applications to "canonicalize" the username and realm provided by the
remote end. svnserve uses that callback to enforce that either the
remote end specified no realm, or it specified the repository's realm
(as declared in the svnserve.conf file).
Due to a programming oversight, if the remote end specified a realm
string which is a prefix of the expected realm string, the
remote-specified realm string would be used in the canonicalized
value. Consequently, a user who has valid credentials to a realm,
whose name is a prefix of the repository's realm, would be able to
successfully authenticate to the repository.
Such a user would still be subject to path-based authorization, if
enabled via the 'authz-db' or 'auth-access' svnserve.conf directives.
In theory, the erroneous realm comparison would also allow a remote
user to specify a realm string followed by an ASCII NUL byte and
possibly by more bytes thereafter. In practice, however, control flow
on such inputs does not reach the vulnerable code.
Examples:
1. The user "jrandom" in the realm "foo" can successfully authenticate
to a repository whose realm is "foobar".
Severity:
=========
CVSSv2 Base Score: 3.6
CVSSv2 Base Vector: AV:N/AC:H/Au:S/C:P/I:P/A:N
Since this vulnerability presupposes rare circumstances --- namely,
having a valid realm name which is a string prefix of the repository's
realm name --- few deployments will be affected.
For affected deployments, however, this is a medium-risk
information disclosure and modification vulnerability. The extent of
the information that may be accessed and modified by attackers depends
on the path-based authorization configuration in use (via the
'authz-db' and 'auth-access' svnserve.conf directives).
Recommendations:
================
Affected servers should be upgraded to Subversion 1.8.16 or 1.9.4.
Workarounds include:
- Use path-based authorization to deny access to usernames from other
realms, so they would be able to authenticate but then would have
authorization to nothing.
- Change realm names such that no valid realm name is a prefix of the
repository's realm name.
References:
===========
CVE-2016-2167 (Subversion)
Reported by:
============
Daniel Shahaf, Apache Infrastructure
James McCoy, Debian
Patches:
========
Patch for Subversion 1.9.3:
[[[
Index: subversion/svnserve/cyrus_auth.c
===================================================================
- --- subversion/svnserve/cyrus_auth.c (revision 1735379)
+++ subversion/svnserve/cyrus_auth.c (working copy)
@@ -74,6 +74,8 @@ static int canonicalize_username(sasl_conn_t *conn
{
/* The only valid realm is user_realm (i.e. the repository's realm).
If the user gave us another realm, complain. */
+ if (realm_len != inlen-(pos-in+1))
+ return SASL_BADPROT;
if (strncmp(pos+1, user_realm, inlen-(pos-in+1)) != 0)
return SASL_BADPROT;
}
]]]
Patch for Subversion 1.8.15:
[[[
Index: subversion/svnserve/cyrus_auth.c
===================================================================
- --- subversion/svnserve/cyrus_auth.c (revision 1735379)
+++ subversion/svnserve/cyrus_auth.c (working copy)
@@ -74,6 +74,8 @@ static int canonicalize_username(sasl_conn_t *conn
{
/* The only valid realm is user_realm (i.e. the repository's realm).
If the user gave us another realm, complain. */
+ if (realm_len != inlen-(pos-in+1))
+ return SASL_BADPROT;
if (strncmp(pos+1, user_realm, inlen-(pos-in+1)) != 0)
return SASL_BADPROT;
}
]]]
- ---
Remotely triggerable DoS vulnerability in mod_authz_svn during COPY/MOVE
authorization check.
Summary:
========
Subversion's httpd servers are vulnerable to a remotely triggerable crash
in the mod_authz_svn module. The crash can occur during an authorization
check for a COPY or MOVE request with a specially crafted header value.
This allows remote attackers to cause a denial of service.
Known vulnerable:
=================
Subversion httpd servers 1.0.0 to 1.8.15 (inclusive)
Subversion httpd servers 1.9.0 through 1.9.3 (inclusive)
Subversion svnserve servers (any version) are not vulnerable
Known fixed:
============
Subversion 1.8.16
Subversion 1.9.4
Details:
========
Subversion includes a separate server module, mod_authz_svn, which does
path-based authorization on Subversion repositories. Authorizing a COPY
or MOVE request requires additional checks for the destination of the
request. This additional logic contains a flaw that will cause a null
pointer dereference and a segmentation fault with certain invalid request
headers.
Exploiting this vulnerability requires the attacker to be authenticated
on the targeted server. Since the flaw is in the authorization module,
the attack does not require access to a particular repository.
Severity:
=========
CVSSv2 Base Score: 5.0
CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
We consider this to be a medium risk vulnerability. In order to take
advantage of this attack the attacker would require to authenticate
against the targeted server. The attack does not require read access
to a particular repository. Servers which allow for anonymous reads
will be vulnerable without authentication.
A remote attacker may be able to crash a Subversion server. Many Apache
servers will respawn the listener processes, but a determined attacker
will be able to crash these processes as they appear, denying service to
legitimate users. Servers using threaded MPMs will close the connection
on other clients being served by the same process that services the
request from the attacker. In either case there is an increased
processing impact of restarting a process and the cost of per process
caches being lost.
Recommendations:
================
We recommend all users to upgrade to Subversion 1.9.4. Users of
Subversion 1.8.x and 1.9.x who are unable to upgrade may apply the
included patch.
New Subversion packages can be found at:
http://subversion.apache.org/packages.html
No workaround is available.
References:
===========
CVE-2016-2168 (Subversion)
Reported by:
============
Ivan Zhakov, VisualSVN
Patches:
========
Patch for Subversion 1.9.3:
[[[
Index: subversion/mod_authz_svn/mod_authz_svn.c
===================================================================
- --- subversion/mod_authz_svn/mod_authz_svn.c (revision 1736295)
+++ subversion/mod_authz_svn/mod_authz_svn.c (working copy)
@@ -639,6 +639,8 @@ req_check_access(request_rec *r,
if (r->method_number == M_MOVE || r->method_number == M_COPY)
{
+ apr_status_t status;
+
dest_uri = apr_table_get(r->headers_in, "Destination");
/* Decline MOVE or COPY when there is no Destination uri, this will
@@ -647,7 +649,19 @@ req_check_access(request_rec *r,
if (!dest_uri)
return DECLINED;
- - apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
+ status = apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
+ if (status)
+ {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+ "Invalid URI in Destination header");
+ return HTTP_BAD_REQUEST;
+ }
+ if (!parsed_dest_uri.path)
+ {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Invalid URI in Destination header");
+ return HTTP_BAD_REQUEST;
+ }
ap_unescape_url(parsed_dest_uri.path);
dest_uri = parsed_dest_uri.path;
]]]
Patch for Subversion 1.8.15:
[[[
Index: subversion/mod_authz_svn/mod_authz_svn.c
===================================================================
- --- subversion/mod_authz_svn/mod_authz_svn.c (revision 1736295)
+++ subversion/mod_authz_svn/mod_authz_svn.c (working copy)
@@ -628,6 +628,8 @@ req_check_access(request_rec *r,
if (r->method_number == M_MOVE || r->method_number == M_COPY)
{
+ apr_status_t status;
+
dest_uri = apr_table_get(r->headers_in, "Destination");
/* Decline MOVE or COPY when there is no Destination uri, this will
@@ -636,7 +638,19 @@ req_check_access(request_rec *r,
if (!dest_uri)
return DECLINED;
- - apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
+ status = apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
+ if (status)
+ {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+ "Invalid URI in Destination header");
+ return HTTP_BAD_REQUEST;
+ }
+ if (!parsed_dest_uri.path)
+ {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Invalid URI in Destination header");
+ return HTTP_BAD_REQUEST;
+ }
ap_unescape_url(parsed_dest_uri.path);
dest_uri = parsed_dest_uri.path;
]]]
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVyaqFH6ZAP0PgtI9AQINOA/+P+dss0+vO49BrqouIQIrFM/jfayoAnsR
arLU0cMdtF7iD08ktoDCcyl/6LbNJ0kuyfffapxD9/01ncxw4FI4IrlbxfOSKwm6
MnJUaMTl5faxbYbYBavIoAittVss0lx4IQt7QHHjJh3uqYrxR2zG33PWgPRgMT9t
cAu0VRPGJBQ6+AGcvSd16hxDoTYhfDl8kxY5S1QcX8Vqq4uJTqwjX/nZGZYtjdWY
6re94aTbj1X568GnZaNcM/vUG7JyC6iiDF8cyCKDCvWosaye/dwm87N42L/JVIwI
PIJkKaj8SUiFz1tqeIv7C2/KBr8yAE3RcTt+2fgNUttfA4iTA4xmLdjTCgcpPUTw
qdil7CT5SHI1SUrBUuIGNsfqCshRO/61sQvCzEx4dFmYVBIQGBOzUuX6TGlHs9Ur
YXkFo4nWjplLEzliKoKZ+tEmWMjc5X/lXIR+A64xB6ihLfXJSyBKfXW4vUjl1qXX
ViwNJn/Zttop9XMaISUWSNX1BxdG5Q4r4arv7VtMy7XNyuUjl+0OGhuioYN92q9A
mX1FioXz0FbE3t4ngF7z/M/4Kb2MGuKAfIU3cbFr6dcGgXZulZJyAlyjONG9M6Yg
nXC9ViEigzdvgb1nA9KIpM1QzGElGC598JCGuVNaoi3wGqIGTEAdvPWcS71RI61Q
QNNrg+qlwEU=
=MD6i
-----END PGP SIGNATURE-----