Apache HTTP Server: Vulnerability CVE-2023-25690 closed after PoC
by Tina Siering
Vulnerability CVE-2023-25690 fixed
The Apache Foundation announced in early March 2023 that it has fixed security vulnerability CVE-2023-25690 in Apache HTTP Server 2.4.56. The implemented fix prevents control characters from being included in a proxy request. This vulnerability had a CVSS score of 9.8 because it had the potential to bypass access controls. Before a security researcher published a proof of concept on 21 May 2023, the issue appeared to go largely unnoticed.
Problem description
Certain configurations of mod_proxy in Apache HTTP Server versions 2.4.0 through 2.4.55 can be exploited for an "HTTP Request Smuggling" attack.
How an HTTP request smuggling attack works
HTTP Request Smuggling is a sophisticated attack method that exploits inconsistencies in the processing of HTTP requests by different web infrastructure components. Attackers use this technique to manipulate the interpretation of requests, bypass security measures, inject payloads undetected and for potential access to sensitive data or even remote command execution.
This vulnerability occurs when mod_proxy is enabled along with RewriteRule or ProxyPassMatch, where a non-specific pattern matches part of the user-supplied request target data (URL) and is then inserted into the proxy request target using variable substitution.
The proof of concept showed how this vulnerability in the Apache HTTP Server can be exploited for header injection and request smuggling attacks against a vulnerable application. To be affected by this vulnerability, however, several conditions must be met:
- The Apache server configuration must contain a RewriteRule that copies data into the query string of a proxy URL.
(Possible scenario: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?param=$1"; [P]. As a result, request splitting or smuggling may occur, leading to circumvention of access controls on the proxy server, unintended forwarding of URLs to existing source servers, and cache poisoning). - The application must consider the proxy as a significant security boundary.
- The application must be using a vulnerable version of the Apache HTTP Server (2.4.55 or earlier).
Data flow PoC attack / source: GitHub
Recommended action
Users are advised to upgrade to version 2.4.56 (or later) of Apache HTTP Server.
Further information:
https://nvd.nist.gov/vuln/detail/CVE-2023-25690
Need help upgrading your IT security for 2023? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.