5

I'm on the latest macOS (BigSur 11.4 20F71) and discovered a critical vulnerability in Apache httpd, which is located here /usr/sbin/httpd. I never installed Apache httpd on my mac. /usr/sbin is a Read-Only file system (Protected by SIP "System Integrity Protection") and it isn't possible to install anything in that folder, even as a root user, which makes me think that Apache http is bundled with BigSur by default. If so, how can I install the latest patch?

The vulnerable version is 2.4.46 and there's a fix in 2.4.47, but I've had real issues updating httpd.

> /usr/sbin/httpd -v
Server version: Apache/2.4.46 (Unix)
Server built:   May  8 2021 03:38:34

Things I've tried so far:

  • Install the latest version of httpd using homebrew. It installs the correct version in /usr/local/bin which isn't OK because it still leaves the vulnerable version intact.
  • Making any change to /usr/sbin/httpd throws a "Operation not permitted" error, which led me to try to Disable System Integrity Protection because it should make the file system writable. After disabling it I tried to manually install the latest version of the httpd binary into /usr/sbin/httpd, but I still get this error: /usr/sbin/httpd: Read-only file system. It looks like it's not possible to disable SIP completely.

How can I resolve this? This vulnerability was discovered on June 6th, so it's over the 14 day limit required by a lot of InfoSec regulators to implement a fix.

For reference, here are the details of the vulnerability (From Nessus):

The version of Apache httpd installed on the remote host is prior to 2.4.47. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.47 changelog:

  • Unexpected section matching with 'MergeSlashes OFF' (CVE-2021-30641)

  • mod_auth_digest: possible stack overflow by one nul byte while validating the Digest nonce. (CVE-2020-35452)

  • mod_session: Fix possible crash due to NULL pointer dereference, which could be used to cause a Denial of Service with a malicious backend server and SessionHeader. (CVE-2021-26691)

  • mod_session: Fix possible crash due to NULL pointer dereference, which could be used to cause a Denial of Service. (CVE-2021-26690)

  • mod_proxy_http: Fix possible crash due to NULL pointer dereference, which could be used to cause a Denial of Service. (CVE-2020-13950)

  • Windows: Prevent local users from stopping the httpd process (CVE-2020-13938)

  • mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end negotiation. (CVE-2019-17567)

AJ Hurst
  • 358
  • 4
  • 11

1 Answers1

1

Until new Apache version v2.4.47/8 is made available by Apple, you can ensure the built in web server service is disabled at startup ( disabled by default) - refer url https://community.jamf.com/t5/jamf-pro/macos-vulnerability-httpd/td-p/236022

Krishna Singamsetty
  • 11
  • 1