Apache's HTTP Server is a critical component for hosting web applications worldwide. Recently, two significant vulnerabilities CVE-2024-40725 and CVE-2024-40898 have surfaced, raising alarms across industries.
These vulnerabilities present a severe risk to organizations that rely on Apache HTTP Server especially the systems using versions 2.4.0 through 2.4.61. There are over 7.6 million instances exposed to potential attacks, experts have said.
According to a recent report from CYFIRMA, while CVE-2024-40725 affects the mod_proxy module of the Apache HTTP Server, CVE-2024-40898 targets the mod_ssl module.
HTTP request smuggling & SSL authentication bypass
HTTP Request Smuggling attacks see an attacker send multiple crafted HTTP requests, which the server misinterprets due to its flawed handling of HTTP headers. The attacker exploits this misinterpretation to bypass security checks. In the case of CVE-2024-40725, the ProxyPass directive, when misconfigured, can make the server vulnerable to this type of attack.
When the ProxyPass directive is enabled with specific URL rewrite rules, it can lead to HTTP Request Smuggling attacks. Attackers can exploit this vulnerability to gain unauthorized access to restricted parts of the server, disclose sensitive information, or hijack active user sessions.
The CVE-2024-40898 vulnerability stems from improper SSL client authentication verification. If SSLVerifyClient is not configured correctly, attackers can bypass the SSL authentication mechanism. This allows them to access sensitive systems without requiring a valid client certificate thereby compromising the security posture of affected organizations.
The existence of PoC exploit codes for both vulnerabilities makes it easier for attackers to target organizations that have not yet applied the necessary patches or updated their configurations. These tools allow attackers to send specially crafted SSL requests to affected servers, which can lead to unauthorized access.
There are already discussions about these vulnerabilities on Dark Web forums, where hackers are actively sharing technical details, targeting information, and exploits, signalling a growing interest in exploiting these vulnerabilities in the wild. These discussions indicate that IP addresses of vulnerable systems are actively being circulated, heightening the urgency for prompt action.
These vulnerabilities present a high-level threat to organizations, making it imperative for system administrators to apply patch updates and review configurations immediately. Without proper mitigation, affected servers could become targets for exploitation, compromising both sensitive information and the integrity of critical systems.
To mitigate the risks, the first and most crucial step is to apply the latest patch by updating the Apache HTTP Server to version 2.4.62 or later. This update addresses both vulnerabilities, providing essential fixes to prevent exploitation.
Additionally, a thorough review of server configurations is necessary, particularly within the mod_proxy and mod_ssl modules. Ensuring that the ProxyPass directive and URL rewrite configurations are securely set up will minimize the risk of HTTP Request Smuggling, while properly configuring SSLVerifyClient will prevent authentication bypass attacks.
By deploying a Web Application Firewall (WAF), organizations can filter malicious HTTP and SSL traffic, providing an extra layer of protection against attack attempts. Moreover, conducting regular security assessments, including vulnerability scans, helps proactively identify and address any configuration issues or new vulnerabilities.
Organizations in sectors such as finance, healthcare, government, retail, and technology are particularly vulnerable due to the sensitive data they handle. Geographically, regions such as the United States, Germany, India, the Netherlands, and the United Kingdom are considered high-risk areas, given the widespread use of Apache HTTP Server in these locations.
More from TechRadar Pro
- These are the best firewalls around today
- This new keylogger uses Microsoft PowerShell scripts to quietly steal sensitive information
- Take a look at the best business VPNs