Nonce issues with auth_digest when running behind an reverse proxy

Bug #1790430 reported by Steven Ellis on 2018-09-03

This bug report will be marked for expiration in 46 days if no further activity occurs. (find out why)

8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned

Bug Description

Confirmed on Ubuntu 14.04.5 with apache2 2.4.18-2ubuntu3.8

No issues with apache2 2.4.18-2ubuntu3.5 or earlier.

I'm running a front end authenticated reverse proxy on Apache

The backend is my Trac server and authentication is failing with nonce errors if I upgrade the version of Apache2.

Example error in the Apache2 logs when I attempt to authenticate

[Mon Sep 03 15:07:30.830824 2018] [auth_digest:error] [pid 2702] [client 192.168.0.8:50650] AH01776: invalid nonce U6R61+50BQA=d41629bfef1e789345f8b147f08f5ad8c89ce973 received - hash is not 72a2ca1b6c6a13fbcd6c0960e21af1a4d7fcbaf8, referer: https://hello.not.here/site/timeline

The Apache configuration element for the login URL is as follows

    <LocationMatch "/[^/]+/login">
        AuthType Digest
        AuthName "Trac"
        AuthUserFile /var/www/htdigest
        Require valid-user
    </LocationMatch>

CVE References

Andreas Hasenack (ahasenack) wrote :

Are you sure you are in ubuntu 14.04.5? Trusty's latest apache2 is 2.4.7-1ubuntu4.20

I assume you meant xenial, which does have 2.4.18-2ubuntu3.8 in security but has 3.9 in updates.

3.8 has security fixes around "nonce generation":

  * SECURITY UPDATE: insecure nonce generation
    - debian/patches/CVE-2018-1312.patch: actually use the secret when
      generating nonces in modules/aaa/mod_auth_digest.c.
    - CVE-2018-1312

I'll check again tomorrow, and also let the secteam in on this bug

On Tue, Sep 4, 2018, 18:40 Andreas Hasenack <email address hidden> wrote:

> Are you sure you are in ubuntu 14.04.5? Trusty's latest apache2 is
> 2.4.7-1ubuntu4.20
>
> I assume you meant xenial, which does have 2.4.18-2ubuntu3.8 in security
> but has 3.9 in updates.
>
> 3.8 has security fixes around "nonce generation":
>
> * SECURITY UPDATE: insecure nonce generation
> - debian/patches/CVE-2018-1312.patch: actually use the secret when
> generating nonces in modules/aaa/mod_auth_digest.c.
> - CVE-2018-1312
>
>
> ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1312
>
> --
> You received this bug notification because you are a member of Ubuntu
> Server, which is subscribed to apache2 in Ubuntu.
> https://bugs.launchpad.net/bugs/1790430
>
> Title:
> None issues with auth_digest when running behind an reverse proxy
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1790430/+subscriptions
>
> --
> Ubuntu-server-bugs mailing list
> <email address hidden>
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
>

Sorry correction - Ubuntu 16.04.5 with kernel - 4.4.0-133-generic

It looks like the CVE around nonce generation impacts the authentication when behind another Apache instance acting as a reverse proxy.

Andreas Hasenack (ahasenack) wrote :

I just tried with a plain apache on xenial using digest authentication and that worked. Could you elaborate a bit on your setup?

You have one apache acting as a reverse proxy, and the authentication is done on the backend apache?

Changed in apache2 (Ubuntu):
status: New → Incomplete
summary: - None issues with auth_digest when running behind an reverse proxy
+ Nonce issues with auth_digest when running behind an reverse proxy
Andreas Hasenack (ahasenack) wrote :

Both apaches are running the same xenial update?

Launchpad Janitor (janitor) wrote :

[Expired for apache2 (Ubuntu) because there has been no activity for 60 days.]

Changed in apache2 (Ubuntu):
status: Incomplete → Expired
Steven Ellis (steven-openmedia) wrote :

No the front end / proxy node is running on a RHEL 7.5 server and the back end is on Ubuntu

Changed in apache2 (Ubuntu):
status: Expired → Incomplete
Andreas Hasenack (ahasenack) wrote :

And who is doing authentication? The backend?

Steven Ellis (steven-openmedia) wrote :

Initial Authentication is occurring at the Apache reverse proxy. This means I can block any requests to Trac or other internal services I'm proxying at the edge.

Then Trac has its own auth config - again via Apache on Ubuntu 16.04.

Andreas Hasenack (ahasenack) wrote :

I'm sorry, but I need a better reproducer case. You said initial auth is happening at the apache reverse proxy, and that is a rhel machine if I understood you correctly, so not applicable here.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers