Do you use an Apache Web server? Two weeks ago, a user reported a vulnerability in the popular Web server software that lets intruders run arbitrary code and possibly gain root access to a system. The vulnerability relates to chunk-encoded data, per the HTTP 1.1 standard that Internet Engineering Task Force (IETF) Request for Comments (RFC) 2616 outlines. The Apache Software Foundation hurried to release patched code to protect against exploits, which were first thought to affect only 64-bit platforms. However, a user released source code for an exploit against 32-bit x86-based systems, which means users running Apache on 32-bit platforms are also vulnerable.
On June 19 and June 21, a user identifying himself as "Gobbles" posted the working exploit code to the BugTraq mailing list. Not surprisingly, last Friday, June 28, users detected a new worm spreading on the Internet, which exploits the chunked-encoding vulnerability.
One user, Domas Mituzas, captured the worm in a honeypot system and analyzed it, revealing several aspects of the worm's activity. The worm spreads by scanning for other vulnerable Apache servers. It also contains a command interface that listens on UDP port 2001 and lets the worm be instructed to perform Distributed Denial of Service (DDoS) attacks against specified targets. Shortly after Mituzas posted the worm's binary executables to the Web, he received the complete source code for the worm through email and subsequently posted that code to the Web as well.
The problem is very serious because approximately 50 million Apache Web servers operate on the Internet. The fact that many vendors, such as Dell, have used Apache code to build Web management interfaces into their various network-management products compounds the problem.
The Computer Emergency Response Team (CERT) issued an advisory (CA-2002-17) about the vulnerability. The Apache team has released updated software that helps protect 64-bit and 32-bit versions and recommends that all users upgrade to Apache 2.0.39 or Apache 1.3.26. Some users might be relying on third-party patches to help correct the matter. However, not all of those third-party patches address the complete scope of the vulnerabilities. Therefore, I urge users to immediately obtain and install patched code directly from the Apache Software Foundation.
But even with the new version, Apache 2.0.39, installed, Apache servers might have trouble. Another user, Brett Glass, reported that one of his Apache 2.0.39 servers "went berserk" by spawning the maximum number of child processes, which locked up his system. His logs revealed that the child processes had been attempting to free memory space that had already been freed. No more information about this anomaly is available right now. However, I'll keep you posted regarding any significant new information. In the meantime, help ward off a potential DDoS nightmare: Patch your Apache servers now.
