IP spoofing and buffer overflow failures in Apache. Secure your servers

Specialists in a network security course have reported the discovery of multiple vulnerabilities in Apache Server, the open source HTTP web server for UNIX, Microsoft Windows, among other platforms, developed by Apache Foundation. According to the report, successful exploiting of flaws could lead to IP spoofing and buffer overflow attacks.

Below is the report of reported flaws, in addition to their respective scores and identification keys according to the Common Vulnerability Scoring System (CVSS).

CVE-2020-11984: A limit error in the module od_proxy_uwsgi could lead to remote code execution on the target system, generating buffer overflows and arbitrary code execution on the target system.

Threat actors should only send specially crafted requests to the web server to trigger the flaw, network security course experts report. The flaw received a score of 7.7/10 and is considered of high severity.

CVE-2020-11993: Inadequate management of application resources when processing HTTP/2 requests with trace/debug enabled can result in denial of service (DoS) attacks. Malicious hackers should only send specially crafted requests to complete the attack. This is a medium severity vulnerability that received a score of 6.5/10.  

CVE-2020-9490: This flaw exists due to insufficient validation of user-provided entries when processing the Cache-Digest header in the HTTP/2 request, which could lead to DoS attacks in case the hacker succeeds in activating the server and sending HTTP/2 PUSH requests.

The flaw received a CVSS score of 6.5/10, the network security course specialists mentioned.

The versions vulnerable to these three flaws are: 2.4.20, 2.4.21, 2.4.22, 2.4.23, 2.4.24, 2.4.25, 2.4.26, 2.4.27, 2.4.28, 2.4.29, 2.4.32, 2.4.33, 2.4.34, 2.4.35, 2.4.36, 2.4.37, 2.4.38, 2.4.39, 2.4.40, 2.4.41, 2.4.42, 2.4.43.

CVE-2020-11985: Insufficient validation of user-provided input would allow IP address spoofing attacks to be deployed, specialists mentioned***. Threat actors could fake a user’s IP address, which would be displayed in the logs and passed to PHP scripts.

The following versions of Apache Sever are exposed to this flaw: 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.4.15, 2.4.16, 2.4.17, 2.4 18, 2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23

This is a medium severity vulnerability that received a score of 5.7/10.

While all reported vulnerabilities could be exploited remotely by unauthenticated threat actors, experts have not detected attempts to exploit in real-world scenarios or the existence of an attack-linked exploit. Updates are now available, so Apache deployment administrators are advised to upgrade as soon as possible.