# mod_ssl out of date - Vulnerable



## ghostcorps (Apr 11, 2012)

Hi guys,

 I am using Metasploit to discover vulnerabilities on my server and it has reported that the mod_ssl version used by apache22 is out of date, causing the following vulnerabilities:

Apache mod_ssl Unspecified Vulnerability
Remotely Exploitable Buffer Overflow in mod_ssl
mod_ssl Directive Mapping Buffer Overflow

 I understand that FreeBSD ports are patched regularly, but I can not tell if these issues have been patched. I keep my apache22 installation up-to-date.

 Can anyone advise if these vulnerabilities have been fixed in the current native version or else how can I upgrade mod_ssl without breaking the workflow?


Thanks.


----------



## SirDice (Apr 11, 2012)

ghostcorps said:
			
		

> Apache mod_ssl Unspecified Vulnerability





> Format string vulnerability in the mod_proxy hook functions function in ssl_engine_log.c in mod_ssl before 2.8.19 for Apache before 1.3.31 may allow remote attackers to execute arbitrary messages via format string specifiers in certain log messages for HTTPS that are handled by the ssl_log function.


http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0700



> Remotely Exploitable Buffer Overflow in mod_ssl





> The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and Apache-SSL before 1.3.22+1.46, does not properly initialize memory using the i2d_SSL_SESSION function, which allows remote attackers to use a buffer overflow to execute arbitrary code via a large client certificate that is signed by a trusted Certificate Authority (CA), which produces a large serialized session.


http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0082



> mod_ssl Directive Mapping Buffer Overflow





> Off-by-one buffer overflow in the ssl_compat_directive function, as called by the rewrite_command hook for mod_ssl Apache module 2.8.9 and earlier, allows local users to execute arbitrary code as the Apache server user via .htaccess files with long entries.


http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0653

Don't blindly accept anything a vulnerability scanner tells you, you need to interpret the results.


----------



## ghostcorps (Apr 11, 2012)

Thanks SirDice,

 I am definitely not blindly accepting what the scanner tells me. Where I can I test/exploit the vulnerability to prove it for myself. However, in the case of these mod_ssl issues I have been unable to confirm/deny them. 

 I expect that they have been patched already as the scanner simply finds the version number and posts any vulnerabilities that in the database for that version. Whereas FreeBSD usually patches the current versions with the latest updates.

 I am hoping someone is aware of whether or not these are false positives.


----------



## SirDice (Apr 11, 2012)

> I expect that they have been patched already as the scanner simply finds the version number and posts any vulnerabilities that in the database for that version. Whereas FreeBSD usually patches the current versions with the latest updates.


Which is true for the OpenSSL that's part of the base OS. I don't think mod_ssl falls in that category as it's part of the Apache distribution.




			
				ghostcorps said:
			
		

> I am hoping someone is aware of whether or not these are false positives.


Look closely at their descriptions. They're all from 2002 and 2004 and they're all related to Apache 1.3.x not Apache 2.2.x.


----------



## ghostcorps (Apr 11, 2012)

SirDice said:
			
		

> Look closely at their descriptions. They're all from 2002 and 2004 and they're all related to Apache 1.3.x not Apache 2.2.x.



Oh, I was reading is as Mod_ssl 2.8 or Apache 1.3. When I looked up the version numbers I read that the mod_ssl versions are tied to the apache versions, so I assumed that I would need a newer version of apache or patch the mod_ssl version.

Thanks for pointing out the obvious  :r


----------

