Attacker Value
Very Low
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2017-9798

Disclosure Date: September 18, 2017
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Metasploit Module

Description

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user’s .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Add Assessment

1
Ratings
Technical Analysis

This vulnerability only happens when the Limit method is defined. This most likely isn’t very common in enterprise environments, and also the Limit method needs to be configured in an invalid way.
Pending all that is true, which is unlikely, its possible to send an OPTIONS HTTP request and get back arbitrary memory.
Unlike Heartbleed, we’re receiving back minimal memory and its also intermingled with the response.
From my testing, against a test server, no useful data was found. It’s possible a production server on a very busy website may have divulged more useful data, but it would have to be minimal due to the returned buffer size.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • apache,
  • debian

Products

  • debian linux 7.0,
  • debian linux 8.0,
  • debian linux 9.0,
  • http server,
  • http server 2.4.0,
  • http server 2.4.1,
  • http server 2.4.10,
  • http server 2.4.12,
  • http server 2.4.16,
  • http server 2.4.17,
  • http server 2.4.18,
  • http server 2.4.2,
  • http server 2.4.20,
  • http server 2.4.23,
  • http server 2.4.25,
  • http server 2.4.26,
  • http server 2.4.27,
  • http server 2.4.3,
  • http server 2.4.4,
  • http server 2.4.6,
  • http server 2.4.7,
  • http server 2.4.9

References

Advisory

Additional Info

Technical Analysis