NetScreen| Partners Secured Site

NetScreen Security Alert

NetScreen Response to Apache Security Hole CAN-2002-0392

July 31, 2002

Affects: Policy Manager Server

Click Here to download the patch

Related Links:
http://httpd.apache.org/info/security_bulletin_20020620.txt
http://httpd.apache.org/info/security_bulletin_20020617.txt

As the Policy Manager servers ship with Apache Web Server versions 1.3.9 and 1.3.12, they are subject to this exploit. Most likely the vulnerability will cause the child process handling the current request to be terminated (creating the need for Apache to re-spawn another child process). It is possible (although unproven) that the 1.3.x versions of Apache Web Server could be made to execute arbitrary code. Apache Web Server is run on our Policy Manager servers with a uid of 'nobody' so no root-level code or commands can be run or started. If, however, this exploit is used in conjunction with some other unknown exploit, it is possible that root-level code or commands could then be executed. This hole is fixed in the current upgraded versions of Apache Web Server (1.3.26 and 2.0.39).

Procedure to upgrade Apache Web Server on Policy Manager server:

1. Get the patches from the NetScreen Web site located at http://www.juniper.net/support/nscn_support/tao/
2. Move patch files to a locally controlled FTP server.
3. You will need to connect a computer or terminal server to the console port on the Policy Manager server.
4. Open your OS emulation software, such as HyperTerminal, on the machine connected to the Policy Manager server. Set Bits per Second to 9600, Data Bits to 8, Parity to None, Stop Bits to 1, and Flow Control to None.
5. Log into the Policy Manager server with your root user name and password.
6. At the /> prompt, make or change to an empty working directory: mkdir /apachetmp
7. Shut down the Apache server: /usr/apache/bin/apachectl stop <r>. You should see: apachectl stop: httpd stopped
8. At the /> prompt, change to the working directory: cd /apachetmp
9. On the Policy Manager server, ftp to your FTP server and after successful login, enter: binary <r>
10. Obtain the files using the get command: get nsgpro_apache_1.3.26.tar.gz <r> and get apache_patch.tar.gz <r>
11. On the Policy Manager server, use the gunzip command to unzip the package: gunzip nsgpro_apache_1.3.26.tar.gz <r> and gunzip apache_patch.tar.gz <r>
12. On the Policy Manager server, use the tar command to uncompress the package: tar -xvf nsgpro_apache_1.3.26.tar <r>
13. A directory structure will be created. Enter the top level directory: cd apache_1.3.26
14. Read the README files that come with the installation. The default to install will be to run the script: ./install-bindist.sh /usr/apache <r>
15. You will see a message at the end of the update indicating you have successfully installed the Apache 1.3.26 patch.
16. To verify that the patch was updated successfully enter: /usr/apache/bin/httpd -v <r> You should see: Server version: Apache/1.3.26 (Unix).
17. Go back to the working directory: cd /apachetmp
18. Use the tar command to uncompress the package: tar -xvf apache_patch.tar <r>
19. You will have http.conf and patch-http.
20. Run the script ./patch-http <r>
21. You will see a message that the Apache server has been successfully patched and restarted.
22. Launch a web browser pointing to the Policy Manager server ip address. You should see the web installation page for the console(s).
23. On the Policy Manager server, remove the temporary directory: rm -rf /apachetmp