Apache? A-Patch-me, more like.

Written by:
by Damian Jennings
Date Posted:
8 December 2017

The snappily named CVE-2017-14377 is a way to bypass Apache authentication. All a naughty person needs to do is send a packet that triggers a validation error. This will let them get access to the resources on the server.

The advisory details the following: This vulnerability is only present when the RSA Authentication Agent for Web for Apache Web Server is configured to use the TCP protocol to communicate with the RSA Authentication Manager server. UDP implementation, which is the default configuration, is not vulnerable.

Please refer to the RSA Authentication Agent 8.x for Web for Apache Web Server Installation and Configuration Guide for configuration details.

You can defend against this bug by setting up the auth agent to use UDP instead. RSA has already released a patch you can find here:

There’s another hole too. CVE-2017-14378 messes with the RSA Auth Agent SDK for C. Basically, any system made with the SDK would also have this bug (unless it was made using Java).

There was a mistake with TCP asynchronous mode implementations. This would let attackers get around the auth. They claim that situations like this are very limited, but who really knows for sure?

Again, it’s been patched and you can get the patch from here. If you’re so inclined.





No votes yet.
Please wait...

Leave a Reply

Be the First to Comment!

Notify of

Hyve are 100% carbon neutral. We use carbon offsetting to balance out the release of carbon dioxide from our offices and infrastructure.