Jump to content
RichardW

Question over manual update of Apache Proxy from 2.4.33 to 2.4.38

Recommended Posts

Hello,
we've recently moved over to using ESet File Security for our servers, and ESet Security Management Center Server (7.0.577.0)
Just to give a bit of background the platform is basically a PCI Compliant one
some of the servers are not allowed to reach the internet directly so we decided to move over from Avira which stopped supporting downloading updates from a central location on the network.

So Far I've installed everything fine and everything works okay
I also updated the SQL Express instance included in the all in one installer up to the latest SP3 and Cumalitive Update to avoid issues with TLS1.0 being turned off in the registry.

However one of the things that cropped up when doing a network scan with Nessus
Is that the version of the Apache Proxy used is 2.4.33 and Nessus warned that this had some security issues that were patched in later versions.
So I figured I'd try and manually update the Apache Proxy to 2.4.38
Using this guide - https://help.eset.com/era_install/65/en-US/upgrade_apache_http_proxy_windows_instructions_manual.html?upgrade_apache_http_proxy_windows_instructions_manual.html
And the x32 Windows version from https://www.apachehaus.com/cgi-bin/download.plx
(I was able to determine that the version Eset had installed was x32)

I've managed to install it okay
the only change to httpd.conf was to change .dll to .so for the Loaded modules

However when trying to check for updates within ESet File Security this results in a "Product Update Failed / Unauthorised Access" error
I'm guessing something has changed in the apache config that needs to be specified but I'm not sure what just yet


[Wed Apr 10 16:52:08.785451 2019] [mpm_winnt:notice] [pid 12632:tid 600] AH00455: Apache/2.4.39 (Win32) OpenSSL/1.0.2r configured -- resuming normal operations
[Wed Apr 10 16:52:08.785451 2019] [mpm_winnt:notice] [pid 12632:tid 600] AH00456: Server built: Mar 27 2019 11:11:12
[Wed Apr 10 16:52:08.785451 2019] [core:notice] [pid 12632:tid 600] AH00094: Command line: 'C:\\Program Files\\Apache HTTP Proxy\\bin\\httpd.exe -d C:/Program Files/Apache HTTP Proxy'
[Wed Apr 10 16:52:08.785451 2019] [mpm_winnt:notice] [pid 12632:tid 600] AH00418: Parent: Created child process 13392
[Wed Apr 10 16:52:09.285511 2019] [ssl:warn] [pid 13392:tid 560] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Apr 10 16:52:09.332392 2019] [mpm_winnt:notice] [pid 13392:tid 560] AH00354: Child: Starting 1500 worker threads.
The 'ApacheHttpProxy' service is running.
[Wed Apr 10 16:57:02.070161 2019] [access_compat:error] [pid 13392:tid 12756] [client 10.20.0.43:56497] AH01797: client denied by server configuration: proxy:http:/repository.eset.com/v1/com/eset/apps/business/efs/windows/metadata3
[Wed Apr 10 16:57:13.087089 2019] [access_compat:error] [pid 13392:tid 12756] [client 10.20.0.43:56505] AH01797: client denied by server configuration: proxy:http:/repository.eset.com/v1/com/eset/apps/business/efs/windows/metadata3
[Wed Apr 10 16:57:41.637342 2019] [access_compat:error] [pid 13392:tid 12756] [client 10.20.0.43:56515] AH01797: client denied by server configuration: proxy:http:/repository.eset.com/v1/com/eset/apps/business/efs/windows/metadata3
[Wed Apr 10 16:58:19.313679 2019] [access_compat:error] [pid 13392:tid 12756] [client 10.20.0.43:56523] AH01797: client denied by server configuration: proxy:http:/repository.eset.com/v1/com/eset/apps/business/efs/windows/metadata3
[Wed Apr 10 16:59:10.819770 2019] [access_compat:error] [pid 13392:tid 12756] [client 10.20.0.43:56531] AH01797: client denied by server configuration: proxy:http:/repository.eset.com/v1/com/eset/apps/business/efs/windows/metadata3
[Wed Apr 10 17:02:09.575292 2019] [access_compat:error] [pid 13392:tid 12732] [client 10.20.0.43:56546] AH01797: client denied by server configuration: proxy:http:/repository.eset.com/v1/com/eset/apps/business/efs/windows/metadata3
[Wed Apr 10 17:04:20.896687 2019] [access_compat:error] [pid 13392:tid 12732] [client 10.10.0.12:62526] AH01797: client denied by server configuration: proxy:http:/repository.eset.com/v1/com/eset/apps/business/efs/windows/metadata3
[Wed Apr 10 17:09:24.261892 2019] [access_compat:error] [pid 13392:tid 12732] [client 10.10.0.12:62590] AH01797: client denied by server configuration: proxy:http:/repository.eset.com/v1/com/eset/apps/business/efs/windows/metadata3
[Wed Apr 10 17:10:23.268876 2019] [access_compat:error] [pid 13392:tid 12756] [client 10.10.0.12:62632] AH01797: client denied by server configuration: proxy:http:/repository.eset.com/v1/com/eset/apps/business/efs/windows/metadata3
[Wed Apr 10 17:10:31.222944 2019] [access_compat:error] [pid 13392:tid 12756] [client 10.10.0.12:62648] AH01797: client denied by server configuration: proxy:http:/repository.eset.com/v1/com/eset/apps/business/efs/windows/metadata3
[Wed Apr 10 17:58:55.551049 2019] [access_compat:error] [pid 13392:tid 12732] [client 10.10.0.12:63246] AH01797: client denied by server configuration: proxy:http:/repository.eset.com/v1/com/eset/apps/business/efs/windows/metadata3

 

Share this post


Link to post
Share on other sites

Okay just to follow I tried turning off the default block rule for the Proxy just to see what would happen

<Proxy *>
# TODO
#Deny from all
Allow from all
</Proxy>

 

The end result was a malformed URL error when attempting to download updates for ESet File Security

[Wed Apr 10 18:41:19.985040 2019] [proxy_http:error] [pid 9480:tid 12756] [client 10.10.0.12:63758] AH01083: error parsing URL /repository.eset.com/v1/com/eset/apps/business/efs/windows/metadata3: Malformed URL
[Wed Apr 10 18:41:26.657705 2019] [proxy_http:error] [pid 9480:tid 12756] [client 10.10.0.12:63774] AH01083: error parsing URL /repository.eset.com/v1/com/eset/apps/business/efs/windows/metadata3: Malformed URL

 

Share this post


Link to post
Share on other sites

Hi Richard, from your post it is not clear what proxy configuration you use.

I recommend you to download Apache HTTP Proxy installer from the ESET download page (ESMC, standalone installers) and use only the

httpd.conf

file from the archive with your installation. Restart the Apache service to take effect.

Share this post


Link to post
Share on other sites
Posted (edited)

Hi Janoo, the proxy configuration I've been using httpd.conf is the same one included with the all in one installer for the ESET Security Management Center Installer. I'm just using a more uptodate version of Apache but with the same config.

The only change to it is replacing .dll with .so in httpd.conf (which is something recommended in the eset documentation link above)

I also tried a different binary release from https://www.apachelounge.com/download/ but it had the same result

Edited by RichardW

Share this post


Link to post
Share on other sites

Hi Richard, just to make sure, before you updated to the newest proxy, you did not have those errors in the log? Are there any other problems/issues with ESMC/endpoints?

Share this post


Link to post
Share on other sites

logs_and_conf.zip

Hi Janoo, I did check that the original Apache proxy included by eset was working okay
in fact when I reverted back to it (since I'd made a backup of C:\Program Files\Apache HTTP Proxy)
everything started working fine again.
I think the only errors in the error log were related to access to the cache directory under C:\\ProgramData\\Apache HTTP Proxy\\
but that didn't seem to affect the check for updates

I've done a bit of additional checking to provide as much info as possible
and I've attached the error log and httpd.conf files from the different tests I've done so far
In order to test I've run updates for Eset File Security on a machine that doesn't have direct access to the internet
but can access the Proxy, and does also have Eset Management Agent installed which tells it to use the proxy via the default policy setting.

## Version included with Eset Security Management Center Server (ESMCS)

This appears to be version 2.4.33 of Apache, probably a custom build since it's using .dll files for the modules.
The error logs don't show all that much, potentially a couple of cache related errors
But the machine doing the updates works fine and shows no errors

https://www.eset.com/int/business/security-management-center/download/
All in one installer

## Standalone version of Apache Http Proxy - Eset

I did a file comparison and this is identical to the version included with the all in one installer
https://www.eset.com/int/business/security-management-center/download/#standalone

## Apache Lounge 2.4.39 Win32

https://httpd.apache.org/docs/current/platform/windows.html#down
https://www.apachelounge.com/download/
httpd-2.4.39-win32-VC15.zip
https://aka.ms/vs/15/release/VC_redist.x86.exe

Using exactly the same httpd.conf as from the eset install
the only change made to rename LoadModule entires from .dll to .so since the extensions on the modules is different
Same errors as already listed


Strangely enough if I set Firefox to use the Proxy it works fine / as expected
in that it only allows access to sites ending in eset.com in the URL

Based on what I'm seeing I suspect there may be a problem in the way the ESet app (in this case file security) is passing the URL to the proxy
Something that works with older versions of Apache Proxy but not the newer versions.
possibly it's missing the "http" prefix in the URL

 

Share this post


Link to post
Share on other sites
Posted (edited)

Okay I managed to find a version that does work, this uses VC11 instead of VC15 / VC14

https://www.apachelounge.com/download/VC11/

Apache 2.4.38 Win32

so it looks like it's ether something added between 2.4.38 -> 2.4.39, or the use of VC15 / VC14 instead of VC11 for the C++ library's under windows.

Edit:

Nessus still mentions it would prefer 2.4.39 due to several patched bugs

https://httpd.apache.org/security/vulnerabilities_24.html

I wonder if the change they made to URL normalization inconsistincy (CVE-2019-0220) might have something to do with the compatibility with the Eseet applications

Edited by RichardW

Share this post


Link to post
Share on other sites
56 minutes ago, RichardW said:

Nessus still mentions it would prefer 2.4.39 due to several patched bugs

In case you are using Apache proxy distributed with ESMC you should not be affected by those security vulnerabilities. Distributed proxy uses/loads only minimal set of modules which were not affected.

 

58 minutes ago, RichardW said:

I wonder if the change they made to URL normalization inconsistincy (CVE-2019-0220) might have something to do with the compatibility with the Eseet applications

Version 2.4.39 will be tested in upcoming weeks but it might be possible it is related to one of fixes. We are quiet cautious when releasing new version as we have found out multiple times  in last years that even basic HTTP caching might not work properly work properly in specific releases...

If I recall correctly proxy for ESMC is compiled with vc40 and without any changes in code, so I would guess third-party builds should work, but extra caution should be taken when checking availability of all required modules.

Share this post


Link to post
Share on other sites

Thanks for the info

Currently I'm going through and checking to see if I can do anything to harden the Apache setup.

The first thing nessus recommends is "TraceEnable Off" so I've set that up so far

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...