Monday, March 09, 2015

Security flaws create Indian Spring for Apache users

Spring has been getting rather unseasonably hot for Apache users as far as security flaws go. First there was news of how the FREAK (Factoring Attack on RSA-EXPORT Keys) vulnerability could impact Apache. For more on FREAK see this excellent analysis by Matthew Green, a cryptographer and research professor at Johns Hopkins University. Green points out that "Apache mod_ssl by default will generate a single export-grade RSA key when the server starts up, and will simply re-use that key for the lifetime of that server. What this means is that you can obtain that RSA key once, factor it, and break every session you can get your 'man in the middle' mitts on until the server goes down." How serious the FREAK thing is open to plenty of debate in the IT security world right now, what with both clients and servers being patched and the technicalities of the attack less than straightforward for non state sponsored actors in the real world. However, that still leaves the second bit of bad news on the Apache front: ActiveMQ LDAP Wildcard Interpretation. Researchers from MWR InfoSecurity Labs have identified two weaknesses in the way Apache ActiveMQ performs LDAP authentication. The vulnerabilities allow for leveraging the unauthenticated authentication mechanism, when supported by the remote LDAP service, or abuse an LDAP wildcard expansion weakness. The unauthenticated authentication mechanism may be used for performing unauthenticated Bind with an LDAP service. The wildcard interpretation weakness allows for brute forcing a password, for an unknown but valid account, as opposed to brute forcing a combination of username and password.