This week news broke that an exploit had been published that affected the Apache Web server. You probably glanced past the item in the usual flow of tech news, perhaps swamped by Apple news, and didn’t think anything of it. But if anything the exploit is bigger news than most other items because this Apache vulnerability has a wicked sting in its tail: It’s simple, it’s easy to weaponize, and it could shut down about 60% of websites online.
A denial of service tool was posted on August 19th by a user called Kingcope to the semi-black hat, semi-white hat mailing list Full Disclosure. It contained a shortish fragment of code, a Perl script, and it was called Apache Killer. And it was scary.
Apache Killer, computer security expert Nick Percoco of Trustwave’s Spiderlabs confirmed in an interview with Fast Company, really does live up to its name. Apache is the most widely used web server in the world, accounting for around two thirds of all web server software in use (it, and systems like it, are the clever, complex background software that’s installed on a powerful computer that serves up websites–when your browser navigates to a site, it’s actually connecting up to a server running software like Apache and saying “can you give me all the website data that makes a web page please?”). Apache Killer utilizes an exploit that popped up in a discussion forum called Bugtraq, posted by a Google security engineer who’d spotted how dangerous the loophole could be. It was originally revealed back in 2007 but as far as Apache was concerned, Percoco notes that “basically it doesn’t appear they actually followed up on it” for a number of reasons.
Nick says the vulnerability isn’t one that lets a hacker get at customer records or whatnot, the kind of exploit that’s been in the news this year, but “what it does do is affect availability.” When your browser asks for website code from an Apache server, the system listens to the request, then sends the relevant HTML files off to you. But your computer can also, of course, download other files from a web server–and as part of the complicated digital chat that goes on between your PC and the Apache server there’s a variable named “range” that gets sent from your PC to the server. It basically says “if the file I’m asking for is really big, say a gigabyte, then please break it up into smaller chunks.” Apache Killer is a simple code that pings a server, and basically says to the server to break up even a small file into a vast number of tiny chunks, using this “range” variable. The server tries to comply with the request, but it’s technically impossible…and so it runs out of memory swiftly, or encounters any number of other errors, and then will typically crash. Taking the server offline, along with any websites it’s hosting.
The tool that Kingcope posted bascially allows “anybody on the planet with a computer to run it, point it at a website that runs a vulnerable version of Apache and basically take out that website and shut it down.” It’s what Percoco thinks of as a “major issue” that targets “one of the building blocks of the Internet.” Maybe sites like Google run their own web server, which would be invulnerable, but almost everything else would be at risk. It appears not to have been used yet, but there’s a bigger risk to individual malicious hackers using it against targeted websites: If a botnet owner with, say a million infected slave computers at their command were to load the Apache Killer code into the bots then say “let’s take the top 5,000 websites on the Internet, which is going include any named brand on the Internet that anyone knows,” says Percoco, and target them blindly with the code. Considering the prevalence of Apache, it could have incredible implications–in our Internet-loaded world so much commerce, banking, communications, and other services rely on Apache.
Apache is working on the problem, and has promised a patch to fix the issue within days. But sysadmins have to upload the patch themselves, and if you’re a Mom-and-Pop outfit you’re reliant on your web provider to do it all for you. And since even cloud providers could be at risk, their task is harder: To patch the vulnerability the sysadmins of the sites may need to update tens of thousands of servers–“it’s not going to be an easy fix for most people.” In other words, the update has to manually percolate around the Net, which will inevitably leave some servers vulnerable for a long time.
But there are two big takeaways from the news: It’s not the last time this sort of issue will arrive, as Apache and other infrastructure parts of the Net are made of millions of lines of code, and all it takes is for an innovative coder, like we may assume Kingcope is, to trawl through the data and spot a weakness. Sysadmins must also keep their eyes open, and patch any vulnerabilities ASAP (using resources like this system here).
[Image: Flickr user bitzcelt]