The open-source software project Apache HTTP Server, also known as the Apache server, is one of the most widely used web servers across the globe. As with all software, it is essential for maintainers to identify and remediate vulnerabilities to ensure the security of the product.

One such vulnerability, identified as CVE-2024-38472, has been discovered in Apache HTTP Server versions running on Windows operating systems. This post will examine the details of the vulnerability, including an explanation of the exploit, code snippets involved, and links to relevant original references. Furthermore, this article will provide recommendations on how users can protect themselves from this vulnerability.

Vulnerability Description

The CVE-2024-38472 vulnerability is a Server Side Request Forgery (SSRF) security issue present in Apache HTTP Server running on Windows. The vulnerability allows a potential attacker to send crafted malicious requests or host malicious content on a remote server, subsequently leaking sensitive information such as NTLM (Windows NT LAN Manager) hashes. These NTLM hashes, typically used for authentication purposes, can then be used by the attacker to gain unauthorized access to the affected server.

Exploit Details

The SSRF vulnerability CVE-2024-38472 can be exploited through malicious requests or content that contain UNC paths (Uniform Naming Convention, a convention used to specify file servers and paths in Windows environments). Such a request would contain a UNC path pointing to the malicious server.

When the Apache HTTP Server running on Windows receives a request containing this UNC path, it attempts to access the file or resource specified in the path. While doing so, the server inadvertently sends NTLM hashes to the malicious server, potentially compromising its security and leaking sensitive information.

For example, an attacker might craft a malicious GET request similar to the following code snippet

GET /vulnerable-page HTTP/1.1
Host: example.com
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHgAAAAYABgAiAAAAAYABgCYAAAADAAwAEAAAAYABgAlgAAABgAGABKAAAASABIAFgAAABMATABMQU4ARwBJAFQASQBJAFcAAAAAAAAAAA
EFRgAAAAAA

This malicious request would send the NTLM hash in the Authorization header to the targeted server. Once the malicious server receives the NTLM hashes, the attacker could use tools like Hashcat or John the Ripper to crack the hashes, potentially gaining unauthorized access to the vulnerable system.

Mitigation

The Apache HTTP Server team has patched this vulnerability in version 2.4.60. It is recommended for users to upgrade their installations to this latest version to protect their systems from this SSRF vulnerability. The patched version introduces a new configuration directive called "UNCList," which enables administrators to explicitly whitelist allowed UNC paths during request processing. This new configuration directive strengthens the security of Apache HTTP Server running on Windows by preventing unauthorized access to NTLM hashes.

Original References

1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38472
2. Apache HTTP Server Official Site: https://httpd.apache.org/
3. Apache HTTP Server 2.4.60 Changelog: https://httpd.apache.org/docs/2.4/changelog.html#v2.4.60
4. Apache HTTP Server Documentation on UNCList: https://httpd.apache.org/docs/2.4/en/mod/core.html#unclist

Conclusion

It is essential for administrators and users of Apache HTTP Server running on Windows to be aware of this SSRF vulnerability, identified as CVE-2024-38472. By upgrading their software to version 2.4.60, taking advantage of the newly introduced configuration directive "UNCList," and whitelisting authorized UNC paths, users can better protect their systems from leaking sensitive NTLM hash information and shield themselves from potential unauthorized access.

Timeline

Published on: 07/01/2024 19:15:04 UTC
Last modified on: 07/12/2024 14:15:15 UTC