mod_auth_openidc is a popular authentication and authorization module for the Apache 2.x HTTP server. It implements OpenID Connect Relying Party functionality, which allows users to use their existing OpenID credentials to authenticate and access resources on an Apache-powered website. Recently, a NULL pointer dereference vulnerability has been discovered in versions ranging from 2.. to 2.4.13.1. Attackers can exploit this vulnerability to launch Denial-of-Service (DoS) attacks, threatening the availability of the affected web services. This blog post will provide details about the vulnerability, its impact, and the necessary measures to mitigate the risk.

Vulnerability Details

The vulnerability (CVE-2023-28625) is related to the OIDCStripCookies directive in the mod_auth_openidc module. When this directive is set to any value, and an attacker submits a crafted cookie, the module processes the crafted input and encounters a NULL pointer dereference. Consequently, the Apache server experiences a segmentation fault and crashes, leading to a denial-of-service condition.

Here is an example of how the configuration looks with OIDCStripCookies set

LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCProviderMetadataURL https://provider.example.com/.well-known/openid-configuration
OIDCClientID yourclientid
OIDCClientSecret yourclientsecret
OIDCRedirectURI https://your.site/secure/redirect
OIDCStripCookies stripcookie
<Location /secure>
  AuthType openid-connect
  Require valid-user
</Location>

From the snippet above, bad actors can craft a cookie and inject it onto an unsuspecting user's browser, or directly send requests containing the malicious-cookie to the server. These attempts may result in bringing down the server and causing disruption in service availability.

Original References

- CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28625
- Mod_auth_openidc release notes: https://github.com/zmartzone/mod_auth_openidc/releases
- Pull Request addressing the issue: https://github.com/zmartzone/mod_auth_openidc/pull/667

Exploit Details

Currently, there are no public exploits available for this vulnerability. Nevertheless, threat actors might develop their exploits based on the disclosed information. Thus, it is highly recommended to address the vulnerability as soon as possible.

Mitigation and Patch

The mod_auth_openidc project has released version 2.4.13.2, which contains a patch for this vulnerability. It is highly recommended to upgrade to this version if you are running any version between 2.. and 2.4.13.1.

- https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.13.2

As an immediate workaround, avoid setting the OIDCStripCookies directive in your configuration until you can update the module. This action will prevent the vulnerability from being exploited, even though it may render cookies available in JavaScript, making them potentially vulnerable to Cross-Site Scripting (XSS) attacks.

Conclusion

CVE-2023-28625 is a critical vulnerability that can cause service unavailability in web systems using the affected mod_auth_openidc Apache module. To ensure your systems' security and stability, follow the mitigation steps provided above: upgrade the module to the latest version (2.4.13.2) or avoid using OIDCStripCookies if you cannot update immediately. Always keep monitoring for new updates and disclosures to protect your digital assets from emerging threats.

Timeline

Published on: 04/03/2023 14:15:00 UTC
Last modified on: 04/30/2023 23:15:00 UTC