Ubuntu
apache2 package

Nonce issues with auth_digest when running behind an reverse proxy

Bug #1790430 reported by Steven Ellis on 2018-09-03

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	apache2 (Ubuntu)	Expired	Undecided	Unassigned

Bug Description

Confirmed on Ubuntu 14.04.5 with apache2 2.4.18-2ubuntu3.8

No issues with apache2 2.4.18-2ubuntu3.5 or earlier.

I'm running a front end authenticated reverse proxy on Apache

The backend is my Trac server and authentication is failing with nonce errors if I upgrade the version of Apache2.

Example error in the Apache2 logs when I attempt to authenticate

[Mon Sep 03 15:07:30.830824 2018] [auth_digest:error] [pid 2702] [client 192.168.0.8:50650] AH01776: invalid nonce U6R61+50BQA=d41629bfef1e789345f8b147f08f5ad8c89ce973 received - hash is not 72a2ca1b6c6a13fbcd6c0960e21af1a4d7fcbaf8, referer: https://hello.not.here/site/timeline

The Apache configuration element for the login URL is as follows

    <LocationMatch "/[^/]+/login">
        AuthType Digest
        AuthName "Trac"
        AuthUserFile /var/www/htdigest
        Require valid-user
    </LocationMatch>

CVE References

2018-1312

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2018-09-04:

#1

Are you sure you are in ubuntu 14.04.5? Trusty's latest apache2 is 2.4.7-1ubuntu4.20

I assume you meant xenial, which does have 2.4.18-2ubuntu3.8 in security but has 3.9 in updates.

3.8 has security fixes around "nonce generation":

  * SECURITY UPDATE: insecure nonce generation
    - debian/patches/CVE-2018-1312.patch: actually use the secret when
      generating nonces in modules/aaa/mod_auth_digest.c.
    - CVE-2018-1312

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2018-09-04: Re: [Bug 1790430] Re: None issues with auth_digest when running behind an reverse proxy

#2

I'll check again tomorrow, and also let the secteam in on this bug

On Tue, Sep 4, 2018, 18:40 Andreas Hasenack <email address hidden> wrote:

> Are you sure you are in ubuntu 14.04.5? Trusty's latest apache2 is
> 2.4.7-1ubuntu4.20
>
> I assume you meant xenial, which does have 2.4.18-2ubuntu3.8 in security
> but has 3.9 in updates.
>
> 3.8 has security fixes around "nonce generation":
>
> * SECURITY UPDATE: insecure nonce generation
> - debian/patches/CVE-2018-1312.patch: actually use the secret when
> generating nonces in modules/aaa/mod_auth_digest.c.
> - CVE-2018-1312
>
>
> ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1312
>
> --
> You received this bug notification because you are a member of Ubuntu
> Server, which is subscribed to apache2 in Ubuntu.
> https://bugs.launchpad.net/bugs/1790430
>
> Title:
> None issues with auth_digest when running behind an reverse proxy
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1790430/+subscriptions
>
> --
> Ubuntu-server-bugs mailing list
> <email address hidden>
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
>

Revision history for this message

Steven Ellis (steven-openmedia) wrote on 2018-09-05: Re: None issues with auth_digest when running behind an reverse proxy

#3

Sorry correction - Ubuntu 16.04.5 with kernel - 4.4.0-133-generic

It looks like the CVE around nonce generation impacts the authentication when behind another Apache instance acting as a reverse proxy.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2018-09-05:

#4

I just tried with a plain apache on xenial using digest authentication and that worked. Could you elaborate a bit on your setup?

You have one apache acting as a reverse proxy, and the authentication is done on the backend apache?

Changed in apache2 (Ubuntu):
status:	New → Incomplete
summary:	- None issues with auth_digest when running behind an reverse proxy + Nonce issues with auth_digest when running behind an reverse proxy

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2018-09-05:

#5

Both apaches are running the same xenial update?

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-11-05:

#6

[Expired for apache2 (Ubuntu) because there has been no activity for 60 days.]

Changed in apache2 (Ubuntu):
status:	Incomplete → Expired

Revision history for this message

Steven Ellis (steven-openmedia) wrote on 2018-11-05:

#7

No the front end / proxy node is running on a RHEL 7.5 server and the back end is on Ubuntu

Changed in apache2 (Ubuntu):
status:	Expired → Incomplete

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2018-11-05:

#8

And who is doing authentication? The backend?

Revision history for this message

Steven Ellis (steven-openmedia) wrote on 2018-11-26:

#9

Initial Authentication is occurring at the Apache reverse proxy. This means I can block any requests to Trac or other internal services I'm proxying at the edge.

Then Trac has its own auth config - again via Apache on Ubuntu 16.04.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2018-11-29:

#10

I'm sorry, but I need a better reproducer case. You said initial auth is happening at the apache reverse proxy, and that is a rhel machine if I understood you correctly, so not applicable here.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-01-29:

#11

[Expired for apache2 (Ubuntu) because there has been no activity for 60 days.]

Changed in apache2 (Ubuntu):
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.