Priya Patel
TLDR:
- Apache HTTP Server has two vulnerabilities, CVE-2024-40725 and CVE-2024-40898, posing severe threats to organizations globally.
- PoC exploit codes are available for both vulnerabilities, making it easier for attackers to target vulnerable systems.
Apache’s HTTP Server is a critical component for hosting web applications worldwide. Recently, two significant vulnerabilities CVE-2024-40725 and CVE-2024-40898 have surfaced, raising alarms across industries. These vulnerabilities present a severe risk to organizations that rely on Apache HTTP Server especially the systems using versions 2.4.0 through 2.4.61. There are over 7.6 million instances exposed to potential attacks, experts have said. According to a recent report from CYFIRMA, while CVE-2024-40725 affects the mod_proxy module of the Apache HTTP Server, CVE-2024-40898 targets the mod_ssl module.
HTTP Request Smuggling attacks see an attacker send multiple crafted HTTP requests, which the server misinterprets due to its flawed handling of HTTP headers. The attacker exploits this misinterpretation to bypass security checks. In the case of CVE-2024-40725, the ProxyPass directive, when misconfigured, can make the server vulnerable to this type of attack. When the ProxyPass directive is enabled with specific URL rewrite rules, it can lead to HTTP Request Smuggling attacks. Attackers can exploit this vulnerability to gain unauthorized access to restricted parts of the server, disclose sensitive information, or hijack active user sessions. The CVE-2024-40898 vulnerability stems from improper SSL client authentication verification. If SSLVerifyClient is not configured correctly, attackers can bypass the SSL authentication mechanism.
The existence of PoC exploit codes for both vulnerabilities makes it easier for attackers to target organizations that have not yet applied the necessary patches or updated their configurations. These tools allow attackers to send specially crafted SSL requests to affected servers, which can lead to unauthorized access. There are already discussions about these vulnerabilities on Dark Web forums, where hackers are actively sharing technical details, targeting information, and exploits, signaling a growing interest in exploiting these vulnerabilities in the wild. These vulnerabilities present a high-level threat to organizations, making it imperative for system administrators to apply patch updates and review configurations immediately.
To mitigate the risks, the first and most crucial step is to apply the latest patch by updating the Apache HTTP Server to version 2.4.62 or later. This update addresses both vulnerabilities, providing essential fixes to prevent exploitation. Additionally, a thorough review of server configurations is necessary, particularly within the mod_proxy and mod_ssl modules. Ensuring that the ProxyPass directive and URL rewrite configurations are securely set up will minimize the risk of HTTP Request Smuggling, while properly configuring SSLVerifyClient will prevent authentication bypass attacks. By deploying a Web Application Firewall (WAF), organizations can filter malicious HTTP and SSL traffic, providing an extra layer of protection against attack attempts.
