Low
CVE-2020-11984 — Multiple Vulnerabilities in Apache Web Server Could Allow for Remote Code Execution
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-11984 — Multiple Vulnerabilities in Apache Web Server Could Allow for Remote Code Execution
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
Add Assessment
Ratings
-
Attacker ValueLow
-
ExploitabilityLow
Technical Analysis
The details for this vulnerability were scant from Apache, but this is actually an integer overflow in the mod_proxy_uwsgi Apache module. Specifically, if you send enough headers, you can overflow the packet size that gets encoded into the uWSGI protocol header struct. If you do this, you may be able to coerce the uWSGI middleware service to interpret some of the header data as a new uWSGI packet. uWSGI allows file read and remote code execution as part of the protocol.
Here’s the patch that was silently added from ASF (ignore the 16K comment too, since that is wrong, and it should’ve been 65K):
https://github.com/apache/httpd/commit/fb08e475bf322f081665fa6f9d9e346136df9337#
In practice this is a bit difficult to exploit, but could in theory lead to tasty, tasty shells. The most interesting thing about this vulnerability is that you would interpret the title as an issue that allows for code execution within the context of Apache itself, whereas in reality it is an issue which allows payload stuffing that ultimately can lead to command execution by crafted payloads sent to the uWSGI middleware/backend service that Apache fronts.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- apache,
- canonical,
- debian,
- fedoraproject,
- netapp,
- opensuse,
- oracle
Products
- clustered data ontap -,
- communications element manager,
- communications session report manager,
- communications session route manager,
- debian linux 10.0,
- debian linux 9.0,
- enterprise manager ops center 12.4.0.0,
- fedora 31,
- fedora 32,
- http server,
- hyperion infrastructure technology 11.1.2.4,
- instantis enterprisetrack 17.1,
- instantis enterprisetrack 17.2,
- instantis enterprisetrack 17.3,
- leap 15.1,
- leap 15.2,
- ubuntu linux 16.04,
- ubuntu linux 18.04,
- ubuntu linux 20.04,
- zfs storage appliance kit 8.8
References
Advisory
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: