CVE-2024-38474: Critical Substitution Encoding Issue in mod_rewrite in Apache HTTP Server 2.4.59 and Earlier - Upgrade to 2.4.60 Urged

A critical security vulnerability - CVE-2024-38474 - has been found in the mod_rewrite module in Apache HTTP Server 2.4.59 and earlier versions. This substitution encoding issue allows potential attackers to execute scripts in directories permitted by the server configuration, unbeknownst to the site administrator. Such directories may not be directly reachable by any URL, and the scripts at risk include those intended to be executed only as CGI (Common Gateway Interface).

The example below demonstrates a vulnerable RewriteRule

RewriteEngine on
RewriteRule ^(.*)$ /cgi-bin/script.cgi?%{QUERY_STRING} [L,QSA]

If the script.cgi file is only intended to be executed as CGI, this vulnerable rule potentially allows the attacker to run arbitrary code within the specified limitations.

Here are the official resources to learn more about the vulnerability and its impact

1. Apache HTTP Server 2.4.60 Changelog: https://httpd.apache.org/docs/trunk/changelog-2.4.html
2. ASF Security Advisory: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38474
3. Apache HTTP Server Documentation: https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html

Exploit Details

An attacker can exploit the substitution encoding issue by crafting a carefully designed query string that causes the RewriteRule to substitute and execute a script meant to be executed only as CGI. Attackers may retrieve sensitive information from the server or potentially gain unauthorized control over certain server capabilities.

To protect your Apache HTTP Server, follow the steps below

1. Upgrade to Apache HTTP Server version 2.4.60, which fixes the vulnerability. You can download it from the official website: https://httpd.apache.org/download.cgi
2. As an additional security measure, check your server configurations and ensure that potentially sensitive directories and files are adequately protected from unauthorized access.

3. Modify your vulnerable RewriteRules. Any RewriteRule that captures and substitutes unsafely will now fail, unless the rewrite flag "UnsafeAllow3F" is specified:

RewriteEngine on
RewriteRule ^(.*)$ /cgi-bin/script.cgi?%{QUERY_STRING} [L,QSA,UnsafeAllow3F]

Adding the "UnsafeAllow3F" flag is not recommended, as it might still expose your server to potential risks. It is best to review and redesign the RewriteRules to ensure they do not present any security concerns.

In conclusion, the security vulnerability CVE-2024-38474 in the mod_rewrite module in Apache HTTP Server 2.4.59 and earlier is a critical issue that demands immediate action. Follow the recommended steps above to safeguard your server and protect your system from potential attacks. For detailed information, consult the original documentation and official Apache resources.

Timeline

Published on: 07/01/2024 19:15:04 UTC
Last modified on: 08/21/2024 15:03:30 UTC