
Vulnerability; mod_isapi module unload flaw CVE-2010-0425

Classification; important

Description;

    A flaw was found with within mod_isapi which would attempt to unload 
    the ISAPI dll when it encountered various error states. This could 
    leave the callbacks in an undefined state and result in a segfault.
    On Windows platforms using mod_isapi, a remote attacker could send 
    a malicious request to trigger this issue, and as win32 MPM runs only
    one process, this would result in a denial of service, and potentially
    allow arbitrary code execution.

Acknowledgements;

    We would like to thank Brett Gervasoni of Sense of Security for reporting
    and proposing a patch fix for this issue.

Mitigation;

    Apply any one of the following mitigations to avert the possibility of
    remote code execution.

    * Do not load mod_isapi.

    * Do not configure/enable any ISAPI applications

    * Modify the ISAPI application to refuse the 'force unload' request,
      returning FALSE from TerminateExtension(HSE_TERM_ADVISORY_UNLOAD).

    * Replace mod_isapi with the corresponding version for httpd 2.0.63 
      and prior, or for 2.2.14 or prior.  Note that Apache httpd 1.3 was
      not affected.

    * Upgrade to Apache httpd 2.2.15

Update Released; 5th March 2010
