Attacker Value
Low
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
6

CVE-2020-11984 — Multiple Vulnerabilities in Apache Web Server Could Allow for Remote Code Execution

Disclosure Date: August 07, 2020
CVE-2020-11984 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Discovery
Techniques
Validation
Validated
Initial Access
Techniques
Validation
Validated
Validated

Description

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

Add Assessment

7
Ratings
  • Attacker Value
    Low
  • Exploitability
    Low
UnauthenticatedDifficult to weaponizeVulnerable in uncommon configuration
Technical Analysis

The details for this vulnerability were scant from Apache, but this is actually an integer overflow in the mod_proxy_uwsgi Apache module. Specifically, if you send enough headers, you can overflow the packet size that gets encoded into the uWSGI protocol header struct. If you do this, you may be able to coerce the uWSGI middleware service to interpret some of the header data as a new uWSGI packet. uWSGI allows file read and remote code execution as part of the protocol.

Here’s the patch that was silently added from ASF (ignore the 16K comment too, since that is wrong, and it should’ve been 65K):
https://github.com/apache/httpd/commit/fb08e475bf322f081665fa6f9d9e346136df9337#

In practice this is a bit difficult to exploit, but could in theory lead to tasty, tasty shells. The most interesting thing about this vulnerability is that you would interpret the title as an issue that allows for code execution within the context of Apache itself, whereas in reality it is an issue which allows payload stuffing that ultimately can lead to command execution by crafted payloads sent to the uWSGI middleware/backend service that Apache fronts.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
remote
Utility Class
rce
Ports
Unknown
OS
Unknown
Vulnerable Versions
Apache HTTP Server 2.4.32 to 2.4.44
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • apache,
  • canonical,
  • debian,
  • fedoraproject,
  • netapp,
  • opensuse,
  • oracle

Products

  • clustered data ontap -,
  • communications element manager,
  • communications session report manager,
  • communications session route manager,
  • debian linux 10.0,
  • debian linux 9.0,
  • enterprise manager ops center 12.4.0.0,
  • fedora 31,
  • fedora 32,
  • http server,
  • hyperion infrastructure technology 11.1.2.4,
  • instantis enterprisetrack 17.1,
  • instantis enterprisetrack 17.2,
  • instantis enterprisetrack 17.3,
  • leap 15.1,
  • leap 15.2,
  • ubuntu linux 16.04,
  • ubuntu linux 18.04,
  • ubuntu linux 20.04,
  • zfs storage appliance kit 8.8

References

Canonical
CVE-2020-11984 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11984)
Advisory
https://httpd.apache.org/security/vulnerabilities_24.html
[oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow (http://www.openwall.com/lists/oss-security/2020/08/08/1)
GLSA-202008-04 (https://security.gentoo.org/glsa/202008-04)
[oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow (http://www.openwall.com/lists/oss-security/2020/08/08/10)
[oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow (http://www.openwall.com/lists/oss-security/2020/08/08/8)
[oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow (http://www.openwall.com/lists/oss-security/2020/08/08/9)
[oss-security] 20200810 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow (http://www.openwall.com/lists/oss-security/2020/08/10/5)
[httpd-dev] 20200811 Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities? (https://lists.apache.org/thread.html/r5debe8f82728a00a4a68bc904dd6c35423bdfc8d601cfb4579f38bf1@%3Cdev.httpd.apache.org%3E)
[httpd-dev] 20200811 Re: Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities? (https://lists.apache.org/thread.html/r623de9b2b2433a87f3f3a15900419fc9c00c77b26936dfea4060f672@%3Cdev.httpd.apache.org%3E)
https://security.netapp.com/advisory/ntap-20200814-0005
[oss-security] 20200817 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow (http://www.openwall.com/lists/oss-security/2020/08/17/2)
USN-4458-1 (https://usn.ubuntu.com/4458-1)
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00071.html
FEDORA-2020-189a1e6c3e (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HYVYE2ZERFXDV6RMKK3I5SDSDQLPSEIQ)
DSA-4757 (https://www.debian.org/security/2020/dsa-4757)
[debian-lts-announce] 20200902 [SECURITY] [DLA 2362-1] uwsgi security update (https://lists.debian.org/debian-lts-announce/2020/09/msg00001.html)
FEDORA-2020-0d3d3f5072 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RN46PRBJE7E7OPD4YZX5SVWV5QKGV5)
https://security.netapp.com/advisory/ntap-20200814-0005/
USN-4458-1 (https://usn.ubuntu.com/4458-1/)
FEDORA-2020-189a1e6c3e (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HYVYE2ZERFXDV6RMKK3I5SDSDQLPSEIQ/)
FEDORA-2020-0d3d3f5072 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RN46PRBJE7E7OPD4YZX5SVWV5QKGV5/)
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ (https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E)
[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/ (https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E)
[httpd-cvs] 20210330 svn commit: r1888194 [13/13] - /httpd/site/trunk/content/security/json/ (https://lists.apache.org/thread.html/r09bb998baee74a2c316446bd1a41ae7f8d7049d09d9ff991471e8775@%3Ccvs.httpd.apache.org%3E)
[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html (https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E)
[httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ (https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E)
[httpd-cvs] 20210330 svn commit: r1888199 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml (https://lists.apache.org/thread.html/r34753590ae8e3f2b6af689af4fe84269b592f5fda9f3244fd9abbce8@%3Ccvs.httpd.apache.org%3E)
[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ (https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E)
[httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ (https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36@%3Ccvs.httpd.apache.org%3E)
[httpd-cvs] 20210330 svn commit: r1073171 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-11984.json security/json/CVE-2020-11993.json security/vulnerabilities_24.html (https://lists.apache.org/thread.html/rf71eb428714374a6f9ad68952e23611ec7807b029fd6a1b4f5f732d9@%3Ccvs.httpd.apache.org%3E)
[httpd-cvs] 20210330 svn commit: r1888228 - in /httpd/site/trunk/content/security/json: CVE-2020-11984.json CVE-2020-11993.json (https://lists.apache.org/thread.html/r2c6083f6a2027914a0f5b54e2a1f4fa98c03f8693b58460911818255@%3Ccvs.httpd.apache.org%3E)
[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html (https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E)
Miscellaneous
http://packetstormsecurity.com/files/159009/Apache2-mod_proxy_uwsgi-Incorrect-Request-Handling.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujan2021.html

Additional Info

Authenticated
Never
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis