Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0818 Two vulnerabilities have been identified in Apache Subversion 1 April 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Subversion Publisher: The Apache Software Foundation Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-0251 CVE-2015-0248 Original Bulletin: http://subversion.apache.org/security/CVE-2015-0248-advisory.txt http://subversion.apache.org/security/CVE-2015-0251-advisory.txt Comment: This bulletin contains two (2) The Apache Software Foundation security advisories. While updates are currently available, patches to correct both vulnerabilities can also be found at the original advisory URLs. - --------------------------BEGIN INCLUDED TEXT-------------------- Subversion mod_dav_svn and svnserve are vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers. Summary: ======== Subversion's mod_dav_svn and svnserve servers will trigger an assertion while processing some requests with special parameters, which are evaluated on the server side. Assertion will cause svnserve process or the process hosting mod_dav_svn module (Apache) to abort. This can lead to a DoS. There are no known instances of this problem being exploited in the wild, but an exploit has been tested. Known vulnerable: ================= Subversion servers 1.6.0 through 1.7.19 (inclusive) Subversion servers 1.8.0 through 1.8.11 (inclusive) Known fixed: ============ Subversion 1.7.20 Subversion 1.8.13 Subversion 1.8.12 was not publicly released. Details: ======== Subversion's http:// and svn:// protocol support includes certain request types with parameters, which are evaluated on the server side. As an example, sometimes clients need to trace the history of the object to its origin, while not knowing the exact value of the origin (revision number) prior to issuing the request. Certain parameter combinations can exploit this behavior and force a server into attempting an operation with invalid arguments. Subversion servers guard against these situations with assertion statements, and the default behavior for a failed assertion is to abort the current process. Severity: ========= CVSSv2 Base Score: 5.0 CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P We consider this to be a medium risk vulnerability. Apache HTTPD servers with repositories that allow anonymous reads will be vulnerable without authentication. Many Apache servers will respawn the listener processes, but a determined attacker will be able to crash these processes as they appear, denying service to legitimate users. Servers using threaded MPMs will close the connection on other clients being served by the same process that services the request from the attacker. In either case there is an increased processing impact of restarting a process and the cost of per process caches being lost. Exploiting this behavior against svnserve does not require an attacker to authenticate. A remote attacker can cause svnserve process to terminate and thus deny service to users of the server. Unfortunately, no special configuration is required and all mod_dav_svn and svnserve servers are vulnerable. Recommendations: ================ We recommend all users to upgrade to Subversion 1.8.13. Users of Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html No known workarounds are available. References: =========== CVE-2015-0248 (Subversion) Reported by: ============ Evgeny Kotkov, VisualSVN - --------------------------------------------------------------------------------- Subversion HTTP servers allow spoofing svn:author property values for new revisions. Summary: ======== Subversion's mod_dav_svn server allows setting arbitrary svn:author property values when committing new revisions. This can be accomplished using a specially crafted sequence of requests. An evil-doer can fake svn:author values on his commits. However, as authorization rules are applied to the evil-doer's true username, forged svn:author values can only happen on commits that touch the paths the evil-doer has write access to. Doing so does not grant any additional access and does not circumvent the standard Apache authentication or authorization mechanisms. Still, an ability to spoof svn:author property values can impact data integrity in environments that rely on these values. There are no known instances of the problem being exploited in the wild, but an exploit has been tested. Known vulnerable: ================= Subversion HTTPD servers 1.5.0 through 1.7.19 (inclusive) Subversion HTTPD servers 1.8.0 through 1.8.11 (inclusive) Known fixed: ============ Subversion 1.7.20 Subversion 1.8.13 svnserve (any version) is not vulnerable Subversion 1.8.12 was not publicly released. Details: ======== The Subversion http://-based protocol used for communicating with a Subversion mod_dav_svn server has two versions, v1 and v2. The v2 protocol was added in Subversion 1.7.0, but the server allows using both protocol versions for compatibility reasons. When a commit happens, the client sends a sequence of requests (POST, PUT, MERGE, etc.) that depend on the negotiated protocol version. Usually, a server uses the name of the authenticated user as the svn:author value for a new revision. However, with a specially handcrafted v1 request sequence, a client can instruct the server to use the svn:author property that she/he provided. In this case, the server will use an arbitrary value coming from the client instead of the svn:author value originating from the authentication mechanism. Severity: ========= CVSSv2 Base Score: 3.5 CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N We consider this to be a medium risk vulnerability. An attacker needs to have commit access to the repository to exploit the vulnerability. The ability to spoof svn:author property values can impact data integrity in environments that expect the values to denote the actual commit author. The real ID of the author could still be determined using server access logs. However, it is also possible that a spoofed change could go in unnoticed. Subversion's repository hooks might see the real ID of the author or the forged value, depending on the hook type and the hook contents: - A start-commit hook will see the real username in the USER argument - A start-commit hook will see the real username when performing 'svnlook propget --revprop -t TXN_NAME' - A pre-commit hook will see the forged username when performing 'svnlook propget --revprop -t TXN_NAME' - A post-commit hook will see the forged username when performing 'svnlook propget --revprop -r REV' Unfortunately, no special configuration is required and all mod_dav_svn servers are vulnerable. Recommendations: ================ We recommend all users to upgrade to Subversion 1.8.13. Users of Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html No workaround is available. References: =========== CVE-2015-0251 (Subversion) Reported by: ============ Ivan Zhakov, VisualSVN - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVRs+ShLndAQH1ShLAQIH3hAAqFgwcT6Tcg5Dp47ktQ/nKbTYOYyFuTJf wFawMMccLxh0B/IFI1J721n3JDbAtr0aC2Y6kceQJWOuXQHxi0JyCPOg26cEuSSl VJ7ZNcx9IRBDiAim4cxkA1b+uJKJYdTpjSqAPfHp5Q0jgrTAcoF3w4D0lGzVDDJc vtmnERM6guvrpTxSFQ6EXF7LZdO4PliIgq6cOwHDHuMmSZjPA01nonM1Ovb3gSoO QJBxIk7kA2kO3RGlmNB/IIHRetCox+DFFY6oIMEgeJ09kuJTlklt9L4oZO1wapso UWqtbIZ2xTXMKZTZwECNWwnsOTYemcRsVavKGcvskX5aMWnG1042mYt+u+nhocvw TCZlLhq76uBP5FZONm0MWqt67rh9e4CLCf9HkLk6yrlztwLEnU6s87RYqQB+pfnu XKlq1viGTdKQxYyLP0sObaZpSXp7dVRr+3jxPrYFJs9HQfEC+LVMBkBviYTfuADH pJDeKIS6AbFTx1kF1IA2jMnKnOabCtdqxmTq3XsqlQ515xq5sZBAbdJ82uSxw1De LBK95WgAPH0SYbiZqvf7EhbvdZuS/hakq3bBJPntJ8/sdH1acfnUMBwtxfNVVdGP HRnm5UG2r0grWeMvGMLKCrb/+CooFavj2ZyDznQO/2pe7dtOIU2F85A75QeD/XV6 9sJMleqwSO4= =gytv -----END PGP SIGNATURE-----