CVE-2011-4973 – CVE-2011-4973 is an authentication bypass vulne... (How to Fix)

Q: What is the severity of CVE-2011-4973?

CVE-2011-4973 has a CVSS score of 9.8 (CRITICAL). CVE-2011-4973 is an authentication bypass vulnerability in mod_nss 1.0.8 where remote attackers can impersonate valid users by presenting their certificate and using 'password' as the password. This affects systems using mod_nss for client certificate authentication with Apache web servers. The vulnerability allows complete authentication bypass without needing the actual user's password.

📋 TL;DR

CVE-2011-4973 is an authentication bypass vulnerability in mod_nss 1.0.8 where remote attackers can impersonate valid users by presenting their certificate and using 'password' as the password. This affects systems using mod_nss for client certificate authentication with Apache web servers. The vulnerability allows complete authentication bypass without needing the actual user's password.

💻 Affected Systems

Products:

mod_nss

Versions: 1.0.8

Operating Systems: Linux distributions using mod_nss (primarily Red Hat-based systems)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations using mod_nss for client certificate authentication. Systems not using mod_nss or not configured for client certificate authentication are not vulnerable.

📦 What is this software?

Mod Nss by Mod Nss Project

View all CVEs affecting Mod Nss →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of authenticated web applications, unauthorized access to sensitive data, and potential privilege escalation to administrative functions.

🟠

Likely Case

Unauthorized access to web applications protected by client certificate authentication, potentially exposing confidential information and performing unauthorized actions.

🟢

If Mitigated

Limited impact with proper network segmentation, additional authentication layers, and monitoring for suspicious authentication attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires obtaining a valid user certificate and using 'password' as the password. The vulnerability is simple to exploit once a valid certificate is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: mod_nss 1.0.9 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1017197

Restart Required: Yes

Instructions:

1. Update mod_nss to version 1.0.9 or later using your distribution's package manager. 2. For Red Hat-based systems: 'yum update mod_nss'. 3. Restart Apache web server: 'systemctl restart httpd' or 'service httpd restart'.

🔧 Temporary Workarounds

Disable mod_nss client certificate authentication

linux

Temporarily disable client certificate authentication until patching is possible

Comment out or remove NSSVerifyClient require directives in Apache configuration

Implement additional authentication layer

linux

Add secondary authentication method (username/password) alongside certificates

Configure Apache to require both client certificates and basic/digest authentication

🧯 If You Can't Patch

Implement network segmentation to restrict access to affected systems
Enable detailed logging of authentication attempts and monitor for use of 'password' as password

🔍 How to Verify

Check if Vulnerable:

Check mod_nss version: 'rpm -q mod_nss' or 'mod_nss --version'. If version is 1.0.8 and client certificate authentication is enabled, system is vulnerable.

Check Version:

rpm -q mod_nss

Verify Fix Applied:

Verify mod_nss version is 1.0.9 or later: 'rpm -q mod_nss' should show version 1.0.9+. Test authentication with valid certificate and 'password' as password - should be rejected.

📡 Detection & Monitoring

Log Indicators:

Authentication attempts using 'password' as password with valid certificates
Successful authentications with suspicious patterns

Network Indicators:

Unusual authentication patterns from external sources
Multiple failed authentication attempts followed by success with 'password'

SIEM Query:

source="apache_access.log" AND "password" AND cert_validation=success

📊 Metadata

CVE ID: CVE-2011-4973

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: February 15, 2018

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1017197 Issue Tracking,Third Party Advisory
https://www.redhat.com/archives/mod_nss-list/2011-May/msg00001.html Issue Tracking,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1017197 Issue Tracking,Third Party Advisory
https://www.redhat.com/archives/mod_nss-list/2011-May/msg00001.html Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2011-4973, you might also want to check these: