WARNING: CRITICAL VULNERABILITY PATCHED IN APACHE HTTP SERVER 2.4.60, PATCH IMMEDIATELY!
Reference:
Advisory #2024-102
Version:
1.0
Affected software:
Apache HTTP Server >= 2.4.0 and < 2.4.60
Type:
CWE-116 Improper Encoding or Escaping of Output
CVE/CVSS:
CVE-2024-38475: CVSS 9.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Date:
02/07/2024
Sources
https://httpd.apache.org/security/vulnerabilities_24.html
Risks
Apache HTTP Server is a very commonly used as software to host a website. All 2.4 versions of Apache HTTP Server prior to 2.4.60 are vulnerable for CVE-2024-38475. This vulnerability is a low complexity vulnerability. Attackers can map URLs to filesystem locations only permitted by the server. By doing this, filesystem locations are directly reachable by any URL. This can result in code execution or source code disclosure, having a high impact on confidentiality and integrity.
A webserver, like Apache HTTP Server, is due to its functionality very often directly exposed to the internet, which creates a very large attack surface for malicious actors willing to exploit this vulnerability. Therefor it is highly recommended to update your Apache HTTP server as soon as possible to avoid any potential exploitation.
Along with CVE-2024-38475, Apache also patched seven other vulnerabilities in their 2.4.60 release of Apache HTTP Server.
Description
CVE-2024-38475 is caused due to improper escaping of output in mod_rewrite, a module for Apache HTTP Server. mod_rewrite is a very frequently used regular-expression parser module, used to rewrite requested URLs on the fly.
Apache fixed this vulnerability in HTTP Server v2.4.60, but some unsafe RewiteRules will be broken by this change. All substitutions in server context that use a backreference or variable as the first segment of the substitution are affected by this update. The rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained, if it is impossible to adjust the RewriteRule in another safe way.
Updating Apache HTTP Server to version 2.4.60 is highly recommended, since successful exploitation of low complexity vulnerability can result in code execution or source code disclosure.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Updating Apache HTTP Server to version 2.4.60 will fix CVE-2024-38475, along with seven other vulnerabilities.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via:https://ccb.belgium.be/en/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.