Apache Server Vulnerability Allows Attackers to Execute Code Remotely Without Authentication

An Apache HTTP server buffer overflow vulnerability could allow attackers to execute code remotely, according to an advisory by the Zero Day Initiative.

The vulnerability can be exploited without authentication by attackers, as the flaw is found in the “mod_status” module.

“A race condition in mod_status allows an attacker to disclose information or corrupt memory with several requests to endpoints with handler server-status and other endpoints,” said the advisory. “By abusing this flaw, an attacker can possibly disclose credentials or leverage this situation to achieve remote code execution.”

The vulnerability has received the CVE-2014-0226 ID as the heap_buffer_overflow bug could allow denial of service or arbitrary code execution. Also, according to NIST`s Vulnerability Database, the attacker`s request can trigger “improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.”

By way of explanation, the “mod_status” module provides the server administrator with performance information. The performance statistics are presented into a HTML page, as another page provides updates on the server`s current state.

The status module provides data on the number of idle workers, worker serving requests or their status and number of requests each worker performed.

It gives details on how much traffic the server handled, how many times it booted/restarted and running time. It also handles CPU usage of each worker, current hosts and processed requests, and the number of served bytes per second or per request.

The researcher credited with the finding of this vulnerability is Marek Kroemeke.

Apache HTTP server administrators are advised to update their servers, as the impacted versions are from 2.0 to 2.4.10.