CVE-2014-0226

Apache httpd mod_status Heap Buffer Overflow Remote Code Execution Vulnerability

Severity Score

6.8

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.

Condición de carrera en el módulo mod_status en Apache HTTP Server anterior a 2.4.10 permite a atacantes remotos causar una denegación de servicio (desbordamiento de buffer basado en memoria dinámica), o posiblemente obtener información sensible de credenciales o ejecutar código arbitrario, a través de una solicitud manipulada que provoca el manejo indebido de la tabla de clasificación (scoreboard) dentro de la función status_handler en modules/generators/mod_status.c y la función lua_ap_scoreboard_worker en modules/lua/lua_request.c.

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache HTTPD server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the updating of mod_status. A race condition in mod_status allows an attacker to disclose information or corrupt memory with several requests to endpoints with handler server-status and other endpoints. By abusing this flaw, an attacker can possibly disclose credentials or leverage this situation to achieve remote code execution.

A race condition between updating httpd's "scoreboard" and mod_status leads to scenarios where a heap buffer overflow can occur with a user supplied payload. It can also leak heap and critical memory such as htaccess credentials, SSL private keys, and more. Apache version 2.4.7 is affected.

*Credits: AKAT-122733db72ab3ed94b5f8a1ffcde850251fe6f466Marek Kroemeke

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-12-03 CVE Reserved
2014-07-16 CVE Published
2014-07-21 First Exploit
2024-08-06 CVE Updated
2024-09-05 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-122: Heap-based Buffer Overflow
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (56)

URL	Tag	Source
http://advisories.mageia.org/MGASA-2014-0304.html	Third Party Advisory
http://advisories.mageia.org/MGASA-2014-0305.html	Third Party Advisory
http://secunia.com/advisories/60536	Not Applicable
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html	Third Party Advisory
http://www.osvdb.org/109216	Broken Link
http://www.securityfocus.com/bid/68678	Third Party Advisory
http://zerodayinitiative.com/advisories/ZDI-14-236	Third Party Advisory
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246	Third Party Advisory
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9821b0a32a1d0a1b4947abb6f3630053fcbb2ec905d9a32c2bd4d4ee%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://puppet.com/security/cve/cve-2014-0226	Third Party Advisory
https://support.apple.com/HT204659	Third Party Advisory
https://www.povonsec.com/apache-2-4-7-exploit	Broken Link

URL	Date	SRC
https://www.exploit-db.com/exploits/34133	2014-07-21
https://github.com/shreesh1/CVE-2014-0226-poc	2021-04-02
http://seclists.org/fulldisclosure/2014/Jul/114	2024-08-06
http://www.exploit-db.com/exploits/34133	2024-08-06

URL	Date	SRC
http://httpd.apache.org/security/vulnerabilities_24.html	2023-11-07
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?r1=1450998&r2=1610491&diff_format=h	2023-11-07
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/lua/lua_request.c?r1=1588989&r2=1610491&diff_format=h	2023-11-07

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html	2023-11-07
http://marc.info/?l=bugtraq&m=143403519711434&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=143748090628601&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=144050155601375&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=144493176821532&w=2	2023-11-07
http://rhn.redhat.com/errata/RHSA-2014-1019.html	2023-11-07
http://rhn.redhat.com/errata/RHSA-2014-1020.html	2023-11-07
http://rhn.redhat.com/errata/RHSA-2014-1021.html	2023-11-07
http://security.gentoo.org/glsa/glsa-201408-12.xml	2023-11-07
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES	2023-11-07
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c	2023-11-07
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/lua/lua_request.c	2023-11-07
http://www.debian.org/security/2014/dsa-2989	2023-11-07
http://www.mandriva.com/security/advisories?name=MDVSA-2014:142	2023-11-07
https://bugzilla.redhat.com/show_bug.cgi?id=1120603	2014-08-21
https://security.gentoo.org/glsa/201504-03	2023-11-07
https://access.redhat.com/security/cve/CVE-2014-0226	2014-08-21

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"	Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"	6.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.0.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	5.0 Search vendor "Redhat" for product "Enterprise Linux" and version "5.0"	-	Safe
Redhat Search vendor "Redhat"	Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"	6.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.0.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"	-	Safe
Redhat Search vendor "Redhat"	Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"	6.4.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	5.0 Search vendor "Redhat" for product "Enterprise Linux" and version "5.0"	-	Safe
Redhat Search vendor "Redhat"	Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"	6.4.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"	-	Safe
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				>= 2.2.0 < 2.2.29 Search vendor "Apache" for product "Http Server" and version " >= 2.2.0 < 2.2.29"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				>= 2.4.1 < 2.4.10 Search vendor "Apache" for product "Http Server" and version " >= 2.4.1 < 2.4.10"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Ops Center Search vendor "Oracle" for product "Enterprise Manager Ops Center"				11.1.3 Search vendor "Oracle" for product "Enterprise Manager Ops Center" and version "11.1.3"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Ops Center Search vendor "Oracle" for product "Enterprise Manager Ops Center"				12.1.4 Search vendor "Oracle" for product "Enterprise Manager Ops Center" and version "12.1.4"		-		Affected
Oracle Search vendor "Oracle"		Http Server Search vendor "Oracle" for product "Http Server"				10.1.3.5.0 Search vendor "Oracle" for product "Http Server" and version "10.1.3.5.0"		-		Affected
Oracle Search vendor "Oracle"		Http Server Search vendor "Oracle" for product "Http Server"				11.1.1.7.0 Search vendor "Oracle" for product "Http Server" and version "11.1.1.7.0"		-		Affected
Oracle Search vendor "Oracle"		Http Server Search vendor "Oracle" for product "Http Server"				12.1.2.0 Search vendor "Oracle" for product "Http Server" and version "12.1.2.0"		-		Affected
Oracle Search vendor "Oracle"		Http Server Search vendor "Oracle" for product "Http Server"				12.1.3.0 Search vendor "Oracle" for product "Http Server" and version "12.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Secure Global Desktop Search vendor "Oracle" for product "Secure Global Desktop"				4.63 Search vendor "Oracle" for product "Secure Global Desktop" and version "4.63"		-		Affected
Oracle Search vendor "Oracle"		Secure Global Desktop Search vendor "Oracle" for product "Secure Global Desktop"				4.71 Search vendor "Oracle" for product "Secure Global Desktop" and version "4.71"		-		Affected
Oracle Search vendor "Oracle"		Secure Global Desktop Search vendor "Oracle" for product "Secure Global Desktop"				5.0 Search vendor "Oracle" for product "Secure Global Desktop" and version "5.0"		-		Affected
Oracle Search vendor "Oracle"		Secure Global Desktop Search vendor "Oracle" for product "Secure Global Desktop"				5.1 Search vendor "Oracle" for product "Secure Global Desktop" and version "5.1"		-		Affected