Apache Update: TLS Certificate Authentication Bypass with HTTP/2 (CVE-2016-4979)

Apache Update: TLS Certificate Authentication Bypass with HTTP/2 (CVE-2016-4979)
Apache released an important update today to fix a vulnerability that affects servers that have http/2 enabled and use TLS client certificates for authentication. Apache 2.4.18-20 are vulnerable if: - TLS certificates are used for authenticating clients (look for the "SSLVerifyClient require" directive in your configuration file) - http/2 is enabled. (see if the "Protocols" line includes h2 and/or h2c). Only access over http/2 is affected. Access via http/1.1 is still properly controlled even if http/2 is enabled. Over TLS, clients that suport http/2 will likely use it over http/1.1. http/2 is not enabled by default in any currently shipping version of Apache. To quickly check your network traffic for http/2 use, you can use this tshark line: tshark -Y 'ssl.handshake.extensions_alpn_str == "h2"' -n -i en0 \ -T fields -e ip.src -e ip.dst -e ssl.handshake.type -e ssl.handshake.extensions_server_name \ -e ssl.handshake.extensions_alpn_str It will list the client requests as well as the server responses that contain http/2 including the host name that the client is trying to reach. For example: 10.5.1.12 216.58.192.66 1 cm.g.doubleclick.net h2,spdy/3.1,http/1.1 216.58.192.66 10.5.1.12 2 h2 In this handshake, the client offers http/2, spdy/3.1 as well as http/1.1 to cm.g.doubleclick.net . The server then selects http/2 (h2). --- Johannes B. Ullrich, Ph.D. STI\|Twitter\|LinkedIn I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Security West: March 2021	Johannes 4037 Posts ISC Handler Jul 5th 2016
Thread locked Subscribe	Jul 5th 2016 4 years ago
Hello mate, I tried to run your command and get errors. When trying the tshark command. tshark -Y 'ssl.handshake.extensions_alpn_str == "h2"' -n -i en0 \ -T fields -e ip.src -e ip.dst -e ssl.handshake.type -e ssl.handshake.extensions_server_name \ -e ssl.handshake.extensions_alpn_str I get "That string isn't a valid capture filter (Syntax error). See the User's Guide for a description of the capture filter syntax. 0 packets captured. Do you know how to fix this? Pretty new to the game yet but love learning. Also, is there a Snort rule that can be used to find this? Thanks again. Love the show and love the news update.	Anonymous
Quote	Jul 6th 2016 4 years ago
Try a newer version of tshark. I know the one I had in my Ubuntu 14.04 didn't "ssl.handshake.extensions_alpn_str" part at all, it's only newer versions of tshark that supports that extension. PS. Ubuntu 16.04 has a working version.	Anonymous
Quote	Jul 8th 2016 4 years ago

Apache released an important update today to fix a vulnerability that affects servers that have http/2 enabled and use TLS client certificates for authentication.

Apache 2.4.18-20 are vulnerable if:

- TLS certificates are used for authenticating clients (look for the "SSLVerifyClient require" directive in your configuration file)

- http/2 is enabled. (see if the "Protocols" line includes h2 and/or h2c).

Only access over http/2 is affected. Access via http/1.1 is still properly controlled even if http/2 is enabled. Over TLS, clients that suport http/2 will likely use it over http/1.1.

http/2 is not enabled by default in any currently shipping version of Apache.

To quickly check your network traffic for http/2 use, you can use this tshark line:

tshark -Y 'ssl.handshake.extensions_alpn_str == "h2"' -n -i en0 \
-T fields -e ip.src -e ip.dst -e ssl.handshake.type -e ssl.handshake.extensions_server_name \
-e ssl.handshake.extensions_alpn_str

It will list the client requests as well as the server responses that contain http/2 including the host name that the client is trying to reach. For example:

10.5.1.12 216.58.192.66 1 cm.g.doubleclick.net h2,spdy/3.1,http/1.1
216.58.192.66 10.5.1.12 2 h2

In this handshake, the client offers http/2, spdy/3.1 as well as http/1.1 to cm.g.doubleclick.net . The server then selects http/2 (h2).

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Security West: March 2021

Johannes

4037 Posts
ISC Handler

Jul 5th 2016

Hello mate,

I tried to run your command and get errors.
When trying the tshark command.

tshark -Y 'ssl.handshake.extensions_alpn_str == "h2"' -n -i en0 \
-T fields -e ip.src -e ip.dst -e ssl.handshake.type -e ssl.handshake.extensions_server_name \
-e ssl.handshake.extensions_alpn_str

I get "That string isn't a valid capture filter (Syntax error).
See the User's Guide for a description of the capture filter syntax.
0 packets captured.

Do you know how to fix this? Pretty new to the game yet but love learning.

Also, is there a Snort rule that can be used to find this?

Thanks again. Love the show and love the news update.

Anonymous

Try a newer version of tshark.

I know the one I had in my Ubuntu 14.04 didn't "ssl.handshake.extensions_alpn_str" part at all, it's only newer versions of tshark that supports that extension.

PS. Ubuntu 16.04 has a working version.

Anonymous