Apache HTTP Server error log terminal escape sequence injection (ApacheEscSeqInjection)

Vuln ID: 11412
Risk Level: Medium risk vulnerability  Medium ApacheEscSeqInjection
Platforms: Apache HTTP Server, Sun Solaris: 8, HP HP-UX: 11.04, RedHat Linux: 7.1, Turbolinux Turbolinux Server: 6.5, Trustix Secure Linux: 1.5, RedHat Linux: 7.2, SuSE SuSE Linux Database Server, SuSE SuSE Linux Connectivity Server, Novell SuSE Linux Enterprise Server: 7.0, Conectiva Linux: 8.0, RedHat Linux: 7.3, Sun Solaris: 9, RedHat Stronghold, Slackware Slackware Linux: 8.1, OpenPKG OpenPKG: CURRENT, Gentoo Linux, SuSE SuSE Linux Office Server, RedHat Linux: 8.0, SUSE SuSE Linux: 8.1, Novell UnitedLinux: 1.0, MandrakeSoft Mandrake Multi Network Firewall: 8.2, Slackware Slackware Linux: current, Turbolinux Turbolinux Advanced Server: 6, Turbolinux Turbolinux Server: 6.1, Turbolinux Turbolinux: 8 Server, Turbolinux Turbolinux: 8 Workstation, Turbolinux Turbolinux: 7 Server, Turbolinux Turbolinux: 7 Workstation, Turbolinux Turbolinux Workstation: 6.0, MandrakeSoft Mandrake Linux Corporate Server: 2.1, Compaq Tru64: 5.1b, MandrakeSoft Mandrake Linux: 9.1, RedHat Enterprise Linux: 2.1 AS, RedHat Enterprise Linux: 2.1 ES, RedHat Enterprise Linux: 2.1 WS, RedHat Linux: 9.0, Slackware Slackware Linux: 9.0, Conectiva Linux: 9.0, Trustix Secure Linux: 2.0, OpenPKG OpenPKG: 1.3, Slackware Slackware Linux: 9.1, SUSE SuSE Linux: 9.0, MandrakeSoft Mandrake Linux: 9.2, SGI IRIX: 2.2.1, SGI IRIX: 2.3, Turbolinux Turbolinux: 10 Desktop, OpenPKG OpenPKG: 2.0, Trustix Secure Linux: 2.1, MandrakeSoft Mandrake Linux: 10.0, SUSE SuSE Linux: 9.1, SuSE SuSE Linux Desktop: 1.0, Apple Mac OS X: 10.2.8, Apple Mac OS X Server: 10.2.8, Apple Mac OS X: 10.3.6, RedHat Linux Advanced Workstation: 2.1 Itanium, Turbolinux Turbolinux Appliance Server: 1.0 Hosting Ed, Turbolinux Turbolinux Appliance Server: 1.0 Workgroup Ed, MandrakeSoft Mandrake Linux: 9.1 PPC, MandrakeSoft Mandrake Linux: 9.2 AMD64, MandrakeSoft Mandrake Linux: 10.0 AMD64, MandrakeSoft Mandrake Linux Corporate Server: 2.1 X86_64, Apple Mac OS X Server: 10.3.6
Description:

Apache HTTP Server fails to filter terminal escape sequences from error logs. Escape sequences are a series of characters that begin with the ASCII (0x1B) sequence and are followed by a series of arguments. If a remote attacker could inject escape sequences into an Apache error log, the attacker could take advantages of weaknesses in many terminal emulator software packages and launch further attacks against remote users. This could include denial of service attacks, file modification, data modification, and possibly the execution of arbitrary commands.
Remedy:

For Red Hat Linux:
Upgrade to the latest httpd package, as listed below. Refer to RHSA-2003:139-07 for more information. See References.

Red Hat 8.0: 2.0.40-11.3 or later
Red Hat 9: 2.0.40-21.1 or later

Upgrade to the latest apache package, as listed below. Refer to RHSA-2003:243-07 for more information. See References.

Red Hat 7.1: 1.3.27-2.7.1 or later
Red Hat 7.2: 1.3.27-2.7.2 or later
Red Hat 7.3: 1.3.27-3 or later

For SGI IRIX:
Apply the patch for this vulnerability, as listed in SGI Security Advisory 20031002-01-U. See References.

For Trustix Secure Linux:
Upgrade to the latest apache package, as listed below. Refer to Trustix Secure Linux Security Advisory #2004-0017 for more information. See References.

Trustix Secure Linux 2.0: 2.0.49-2tr or later
Trustix Secure Linux 2.1: 2.0.49-2tr or later

For Turbolinux:
Upgrade to the latest httpd package, as listed below. Refer to Turbolinux Security Advisory TLSA-2004-11 for more information. See References.

Turbolinux 10 Desktop: 2.0.47-8 or later

For Trustix Secure Linux:
Upgrade to the latest apache package, as listed below. Refer to Trustix Secure Linux Security Advisory #2004-0027 for more information. See References.

Trustix Secure Linux 1.5: 1.3.31-1tr or later

For Conectiva Linux:
Upgrade to the latest apache package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:839. See References.

Conectiva Linux 8: 1.3.28-1U80_3cl or later
Conectiva Linux 9: 2.0.45-2879OU90_6cl or later

For Slackware Linux:
Upgrade to the latest apache package, as listed below. Refer to slackware-security Mailing List, Wed, 12 May 2004 16:54:58 -0700 (PDT) for more information. See References.

Slackware Linux 8.1 and 9.0: 1.3.29-i386-2 or later
Slackware Linux 9.1: 1.3.29-i486-2 or later
Slackware Linux -current: 1.3.31-i486-1

For Mandrake Linux:
Upgrade to the latest apache package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2004:046 : apache for more information. See References.

Mandrake Linux 9.1: 1.3.27_1.3.4-7.1.91mdk or later
Mandrake Linux 9.2: 1.3.28_1.3.4-1.1.92mdk or later
Mandrake Linux Multi Network Firewall 8.2: 1.3.23-4.4.M82mdk or later
Mandrake Linux Corporate Server 2.1: 1.3.26-7.1.C21mdk or later
Mandrake Linux 10.0: 1.3.29-1.1.100mdk or later

For Gentoo Linux:
Upgrade to the latest version of apache (1.3.31 or later), as listed in GLSA 200405-22. See References.

For HP Tru64 UNIX 5.1B:
Apply the appropriate Early Release Patches (ERPs) for your system, as listed in HP Security Bulletin HPSBTU01049. See References.

For HP-UX B.11.04 with Virtualvault 4.7, Virtualvault 4.6, or Virtualvault 4.5:
Apply the appropriate patches for your system, as listed in HP Security Bulletin HPSBUX01069. See References.

For Sun Solaris:
Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 57628 for more information. See References.

SPARC Platform
Solaris 8 with patch 116973-01 or later
Solaris 9 with patch 113146-05 or later

x86 Platform
Solaris 8 with patch 116974-01 or later
Solaris 9 with patch 114145-04 or later

For Mac OS:
Apply Security Update 2004-12-02, as listed in AppleCare Knowledge Base Document 61798. See References.

For OpenPKG:
Refer to OpenPKG Security Advisory OpenPKG-SA-2004.021 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.
False Positives:
False Negatives: If the apache server configuration has been modified to exclude version information in initial response banner then a false negative condition maybe reported.
Required Permission:
Additional Information:

References:

VulnWatch Mailing List, Mon Feb 24 2003 - 15:02:52 CST
Terminal Emulator Security Issues
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html

RHSA-2003:139-07
Updated httpd packages fix security vulnerabilities.
https://rhn.redhat.com/errata/RHSA-2003-139.html

RHSA-2003:243-07
Updated Apache and mod_ssl packages fix security vulnerabilities
https://rhn.redhat.com/errata/RHSA-2003-243.html

SGI Security Advisory 20031002-01-U
SGI Advanced Linux Environment security update #3
ftp://patches.sgi.com/support/free/security/advisories/20031002-01-U.asc

CIAC Information Bulletin N-146
Apache 2.0.47 Release Fixes Security Vulnerabilities
http://www.ciac.org/ciac/bulletins/n-146.shtml

Packet Storm Web Site
apache2049.txt
http://packetstormsecurity.nl/0403-advisories/apache2049.txt

Trustix Secure Linux Security Advisory #2004-0017
apache
http://www.linuxsecurity.com/content/view/105880/109/

Turbolinux Security Advisory TLSA-2004-11
httpd
http://www.turbolinux.com/security/2004/TLSA-2004-11.txt

Conectiva Linux Security Announcement CLSA-2004:839
DoS in mod_ssl and log escape sequences vulnerability
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000839

CIAC Information Bulletin O-128
Apache HTTP Server 2.0.49 Release Fixes Security Vulnerabilities
http://www.ciac.org/ciac/bulletins/o-128.shtml

CIAC Information Bulletin O-138
Apple Mac OS X Jaguar and Panther Security Vulnerabilities
http://www.ciac.org/ciac/bulletins/o-138.shtml

slackware-security Mailing List, Wed, 12 May 2004 16:54:58 -0700 (PDT)
apache (SSA:2004-133-01)
http://www.slackware.org/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643

Trustix Secure Linux Security Advisory #2004-0027
apache
http://www.linuxsecurity.com/content/view/106042/109/

MandrakeSoft Security Advisory MDKSA-2004:046 : apache
apache
http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2004:046

GLSA 200405-22
Apache 1.3: Multiple vulnerabilities
http://www.linuxsecurity.com/content/view/106111/104/

HP Security Bulletin HPSBTU01049
SSRT4717 rev.0 HP Tru64 UNIX SSL/TLS Potential Remote Denial of Service (DoS)
http://www.securitylab.ru/45885.html

CIAC Information Bulletin O-128
Apache HTTP Server 2.0.49 Release Fixes Security Vulnerabilities [REVISED 7 July 2004]
http://www.ciac.org/ciac/bulletins/o-128.shtml

CIAC Information Bulletin O-128
Apache HTTP Server 2.0.49 Release Fixes Security Vulnerabilities [REVISED 4 Aug 2004]
http://www.ciac.org/ciac/bulletins/o-128.shtml

HP Security Bulletin HPSBUX01069
SSRT4789 rev. 0 HP-UX Apache server remote Denial of Service and bypassing access restrictions
http://www.securitylab.ru/47044.html

Sun Alert ID: 57628
Security Vulnerabilities in the Apache Web Server and Apache Modules
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1&searchclause=

Sun Alert ID: 57628
Security Vulnerabilities in the Apache Web Server and Apache Modules
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1&searchclause=

CIAC Information Bulletin P-049
Apple Security Update 2004-12-02
http://www.ciac.org/ciac/bulletins/p-049.shtml

AppleCare Knowledge Base Document 61798
Security Update 2004-12-02
http://docs.info.apple.com/article.html?artnum=61798

OpenPKG-SA-2004.021
apache
http://www.openpkg.org/security/advisories/OpenPKG-SA-2004.021-apache.html

ISS X-Force
Apache HTTP Server error log terminal escape sequence injection
http://www.iss.net/security_center/static/11412.php

CVE CVE-2003-0020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0020
X-Force Logo
Know Your Risks		 Mitre.org CVE Logo
Common Vulnerabilties & Exposures