Attacker Value
Low
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
5

CVE-2020-11984 — Multiple Vulnerabilities in Apache Web Server Could Allow for Remote Code Execution

Disclosure Date: August 07, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Discovery
Techniques
Validation
Validated
Initial Access
Techniques
Validation
Validated
Validated

Description

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

Add Assessment

7
Ratings
Technical Analysis

The details for this vulnerability were scant from Apache, but this is actually an integer overflow in the mod_proxy_uwsgi Apache module. Specifically, if you send enough headers, you can overflow the packet size that gets encoded into the uWSGI protocol header struct. If you do this, you may be able to coerce the uWSGI middleware service to interpret some of the header data as a new uWSGI packet. uWSGI allows file read and remote code execution as part of the protocol.

Here’s the patch that was silently added from ASF (ignore the 16K comment too, since that is wrong, and it should’ve been 65K):
https://github.com/apache/httpd/commit/fb08e475bf322f081665fa6f9d9e346136df9337#

In practice this is a bit difficult to exploit, but could in theory lead to tasty, tasty shells. The most interesting thing about this vulnerability is that you would interpret the title as an issue that allows for code execution within the context of Apache itself, whereas in reality it is an issue which allows payload stuffing that ultimately can lead to command execution by crafted payloads sent to the uWSGI middleware/backend service that Apache fronts.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • apache,
  • canonical,
  • debian,
  • fedoraproject,
  • netapp,
  • opensuse,
  • oracle

Products

  • clustered data ontap -,
  • communications element manager,
  • communications session report manager,
  • communications session route manager,
  • debian linux 10.0,
  • debian linux 9.0,
  • enterprise manager ops center 12.4.0.0,
  • fedora 31,
  • fedora 32,
  • http server,
  • hyperion infrastructure technology 11.1.2.4,
  • instantis enterprisetrack 17.1,
  • instantis enterprisetrack 17.2,
  • instantis enterprisetrack 17.3,
  • leap 15.1,
  • leap 15.2,
  • ubuntu linux 16.04,
  • ubuntu linux 18.04,
  • ubuntu linux 20.04,
  • zfs storage appliance kit 8.8

References

Advisory

Additional Info

Technical Analysis