             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                      Red Hat mod_auth_any Vulnerabilities
                  [Red Hat Security Advisory RHSA-2003:113-13]

May 5, 2003 18:00 GMT                                             Number N-090
______________________________________________________________________________
PROBLEM:       A vulnerability has been found in the way mod_auth_any escapes 
               shell arguments when calling external programs. mod_auth_any is 
               a Web server module that allows the Apache httpd server to call 
               arbitrary external programs to verify user passwords. 
PLATFORM:      Red Hat Linux 7.2 
               Red Hat Linux 7.3 
DAMAGE:        Exploiting this vulnerability could allow a remote attacker to 
               run arbitrary commands as the user under which the Web server 
               is running. 
SOLUTION:      Apply patch as instructed in Red Hat's advisory. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. Exploiting this vulnerbility could lead to a 
ASSESSMENT:    remote root compromise. Public Web servers that do not do user 
               authorization are not subject to this vulnerability. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-090.shtml 
 ORIGINAL BULLETIN:  http://rhn.redhat.com/errata/RHSA-2003-113.html 
______________________________________________________________________________
[***** Start Red Hat Security Advisory RHSA-2003:113-13 *****]


Updated mod_auth_any packages available

Advisory: RHSA-2003:113-13 

Last updated on: 2003-05-02 

Affected Products: Red Hat Linux 7.2
                   Red Hat Linux 7.3 

CVEs (cve.mitre.org): CAN-2003-0084
 



Security Advisory 


Details:

Updated mod_auth_any packages are now available for Red Hat Linux.

mod_auth_any is a Web server module that allows the Apache httpd server to
call arbitrary external programs to verify user passwords.

Vulnerabilities have been found in the way mod_auth_any escapes shell
arguments when calling external programs. Versions of mod_auth_any included
in Red Hat Linux 7.2 and 7.3 are affected. These vulnerabilities
allow remote attackers to run arbitrary commands as the user under which
the Web server is running. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2003-0084 to these issues.

All users are advised to upgrade to these errata packages, which address
these vulnerabilities by changing the method by which external programs are
invoked.

Note: This updated module is more careful in checking the results of the
AuthAnyUserProg. Previous versions did not distinguish between the program
outputting nothing due to success or a crash. This replacement version
treats a zero-length result as if it were an "Authentication Error," and
expects the program to output a valid username on success. 

Red Hat would like to thank Daniel Jarboe and Maneesh Sahani for bringing
these issues to our attention.



Updated packages:

Red Hat Linux 7.2 

--------------------------------------------------------------------------------
 
SRPMS: 
mod_auth_any-1.2.2-2.src.rpm
[ via FTP ] [ via HTTP ]     fdff9ef0f0ebceeed5fb74ef000439d9 
  
i386: 
mod_auth_any-1.2.2-2.i386.rpm
[ via FTP ] [ via HTTP ]     2da126608c09ef9ce8f617d4cbefd00b 
  
ia64: 
mod_auth_any-1.2.2-2.ia64.rpm
[ via FTP ] [ via HTTP ]     3e167cc091b577bb1fd6fe361f86ea48 
  
Red Hat Linux 7.3 

--------------------------------------------------------------------------------
 
SRPMS: 
mod_auth_any-1.2.2-2.src.rpm
[ via FTP ] [ via HTTP ]     fdff9ef0f0ebceeed5fb74ef000439d9 
  
i386: 
mod_auth_any-1.2.2-2.i386.rpm
[ via FTP ] [ via HTTP ]     2da126608c09ef9ce8f617d4cbefd00b 
  

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.



Bugs fixed:  (see bugzilla for more information)

77414 - CAN-2003-0084 mod_auth_any popen without checking for ; or " in 
input



References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0084


Keywords:

escape, mod_auth_any 

--------------------------------------------------------------------------------
The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available 
at:
http://www.redhat.com/solutions/security/news/publickey/#key 

You can verify each package and see who signed it with the following command:

rpm --checksig -v filename 

If you only wish to verify that each package has not been corrupted or tampered with, 
examine only the md5sum with the following command:

md5sum filename 

The Red Hat security contact is security@redhat.com. More contact details at 
http://www.redhat.com/solutions/security/news/contact.html
 

[***** End Red Hat Security Advisory RHSA-2003:113-13 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Red Hat for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-080: Red Hat Updated tcpdump Packages Fix Various Vulnerabilities
N-081: Microsoft Cumulative Patch for Outlook Express
N-082: Microsoft Cumulative Patch for Internet Explorer (IE)
N-083: Cisco Catalyst Enable Password Bypass Vulnerability
N-084: SGI nsd LDAP Implementation Vulnerability
N-085: Oracle Buffer Overflow in Net Services for Oracle Database Server
N-086: HP Tru64 UNIX Software Installation and Update Utilities Vulnerability
N-087: Microsoft Cumulative Patch for BizTalk Server
N-088: Hewlett-Packard rexec Command Security Vulnerability
N-089: Red Hat MySQL Vulnerabilities