Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.0818
Two vulnerabilities have been identified in Apache Subversion
1 April 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache Subversion
Publisher: The Apache Software Foundation
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2015-0251 CVE-2015-0248
Original Bulletin:
http://subversion.apache.org/security/CVE-2015-0248-advisory.txt
http://subversion.apache.org/security/CVE-2015-0251-advisory.txt
Comment: This bulletin contains two (2) The Apache Software Foundation
security advisories.
While updates are currently available, patches to correct both
vulnerabilities can also be found at the original advisory URLs.
- --------------------------BEGIN INCLUDED TEXT--------------------
Subversion mod_dav_svn and svnserve are vulnerable to a remotely triggerable
assertion DoS vulnerability for certain requests with dynamically evaluated
revision numbers.
Summary:
========
Subversion's mod_dav_svn and svnserve servers will trigger an assertion
while processing some requests with special parameters, which are evaluated
on the server side. Assertion will cause svnserve process or the process
hosting mod_dav_svn module (Apache) to abort.
This can lead to a DoS. There are no known instances of this problem
being exploited in the wild, but an exploit has been tested.
Known vulnerable:
=================
Subversion servers 1.6.0 through 1.7.19 (inclusive)
Subversion servers 1.8.0 through 1.8.11 (inclusive)
Known fixed:
============
Subversion 1.7.20
Subversion 1.8.13
Subversion 1.8.12 was not publicly released.
Details:
========
Subversion's http:// and svn:// protocol support includes certain request
types with parameters, which are evaluated on the server side. As an
example, sometimes clients need to trace the history of the object to its
origin, while not knowing the exact value of the origin (revision number)
prior to issuing the request.
Certain parameter combinations can exploit this behavior and force a server
into attempting an operation with invalid arguments. Subversion servers
guard against these situations with assertion statements, and the default
behavior for a failed assertion is to abort the current process.
Severity:
=========
CVSSv2 Base Score: 5.0
CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
We consider this to be a medium risk vulnerability.
Apache HTTPD servers with repositories that allow anonymous reads will be
vulnerable without authentication. Many Apache servers will respawn the
listener processes, but a determined attacker will be able to crash these
processes as they appear, denying service to legitimate users. Servers
using threaded MPMs will close the connection on other clients being
served by the same process that services the request from the attacker.
In either case there is an increased processing impact of restarting a
process and the cost of per process caches being lost.
Exploiting this behavior against svnserve does not require an attacker to
authenticate. A remote attacker can cause svnserve process to terminate
and thus deny service to users of the server.
Unfortunately, no special configuration is required and all mod_dav_svn
and svnserve servers are vulnerable.
Recommendations:
================
We recommend all users to upgrade to Subversion 1.8.13. Users of
Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
included patch.
New Subversion packages can be found at:
http://subversion.apache.org/packages.html
No known workarounds are available.
References:
===========
CVE-2015-0248 (Subversion)
Reported by:
============
Evgeny Kotkov, VisualSVN
- ---------------------------------------------------------------------------------
Subversion HTTP servers allow spoofing svn:author property values
for new revisions.
Summary:
========
Subversion's mod_dav_svn server allows setting arbitrary svn:author
property values when committing new revisions. This can be accomplished
using a specially crafted sequence of requests. An evil-doer can fake
svn:author values on his commits. However, as authorization rules are
applied to the evil-doer's true username, forged svn:author values can
only happen on commits that touch the paths the evil-doer has write
access to.
Doing so does not grant any additional access and does not circumvent the
standard Apache authentication or authorization mechanisms. Still, an
ability to spoof svn:author property values can impact data integrity in
environments that rely on these values.
There are no known instances of the problem being exploited in the wild,
but an exploit has been tested.
Known vulnerable:
=================
Subversion HTTPD servers 1.5.0 through 1.7.19 (inclusive)
Subversion HTTPD servers 1.8.0 through 1.8.11 (inclusive)
Known fixed:
============
Subversion 1.7.20
Subversion 1.8.13
svnserve (any version) is not vulnerable
Subversion 1.8.12 was not publicly released.
Details:
========
The Subversion http://-based protocol used for communicating with
a Subversion mod_dav_svn server has two versions, v1 and v2. The v2
protocol was added in Subversion 1.7.0, but the server allows using both
protocol versions for compatibility reasons. When a commit happens, the
client sends a sequence of requests (POST, PUT, MERGE, etc.) that depend
on the negotiated protocol version.
Usually, a server uses the name of the authenticated user as the svn:author
value for a new revision. However, with a specially handcrafted v1 request
sequence, a client can instruct the server to use the svn:author property
that she/he provided. In this case, the server will use an arbitrary value
coming from the client instead of the svn:author value originating from
the authentication mechanism.
Severity:
=========
CVSSv2 Base Score: 3.5
CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N
We consider this to be a medium risk vulnerability.
An attacker needs to have commit access to the repository to exploit the
vulnerability. The ability to spoof svn:author property values can impact
data integrity in environments that expect the values to denote the actual
commit author. The real ID of the author could still be determined using
server access logs. However, it is also possible that a spoofed change
could go in unnoticed.
Subversion's repository hooks might see the real ID of the author or the
forged value, depending on the hook type and the hook contents:
- A start-commit hook will see the real username in the USER argument
- A start-commit hook will see the real username when performing
'svnlook propget --revprop -t TXN_NAME'
- A pre-commit hook will see the forged username when performing
'svnlook propget --revprop -t TXN_NAME'
- A post-commit hook will see the forged username when performing
'svnlook propget --revprop -r REV'
Unfortunately, no special configuration is required and all mod_dav_svn
servers are vulnerable.
Recommendations:
================
We recommend all users to upgrade to Subversion 1.8.13. Users of
Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
included patch.
New Subversion packages can be found at:
http://subversion.apache.org/packages.html
No workaround is available.
References:
===========
CVE-2015-0251 (Subversion)
Reported by:
============
Ivan Zhakov, VisualSVN
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVRs+ShLndAQH1ShLAQIH3hAAqFgwcT6Tcg5Dp47ktQ/nKbTYOYyFuTJf
wFawMMccLxh0B/IFI1J721n3JDbAtr0aC2Y6kceQJWOuXQHxi0JyCPOg26cEuSSl
VJ7ZNcx9IRBDiAim4cxkA1b+uJKJYdTpjSqAPfHp5Q0jgrTAcoF3w4D0lGzVDDJc
vtmnERM6guvrpTxSFQ6EXF7LZdO4PliIgq6cOwHDHuMmSZjPA01nonM1Ovb3gSoO
QJBxIk7kA2kO3RGlmNB/IIHRetCox+DFFY6oIMEgeJ09kuJTlklt9L4oZO1wapso
UWqtbIZ2xTXMKZTZwECNWwnsOTYemcRsVavKGcvskX5aMWnG1042mYt+u+nhocvw
TCZlLhq76uBP5FZONm0MWqt67rh9e4CLCf9HkLk6yrlztwLEnU6s87RYqQB+pfnu
XKlq1viGTdKQxYyLP0sObaZpSXp7dVRr+3jxPrYFJs9HQfEC+LVMBkBviYTfuADH
pJDeKIS6AbFTx1kF1IA2jMnKnOabCtdqxmTq3XsqlQ515xq5sZBAbdJ82uSxw1De
LBK95WgAPH0SYbiZqvf7EhbvdZuS/hakq3bBJPntJ8/sdH1acfnUMBwtxfNVVdGP
HRnm5UG2r0grWeMvGMLKCrb/+CooFavj2ZyDznQO/2pe7dtOIU2F85A75QeD/XV6
9sJMleqwSO4=
=gytv
-----END PGP SIGNATURE-----