Apache HTTP Server

2024

Apache web server has a critical vulnerability. FSTEC recommends taking action

In early September, FSTEC sent a warning about the Apache project fixing a dangerous vulnerability BDU:2024-06593^[1]allows an attacker acting remotely to execute arbitrary code. According to the classification CVSSv3 the vulnerability has a critical level of danger - 9.8 out of 10. On July 17, the manufacturer released^[2] fixes^[3] in version 2.4.62, which also fixed the specified critical vulnerability.

It was discovered by two researchers from DBAPPSecurity Ltd. and made public on July 9 this year. The vulnerability is present in versions Apache 2.4.60 and 2.4.61 and arose due to an incorrect implementation of the Apache HTTP Server mod_rewrite function under Windows. The error allows an attacker to organize a leak of NTLM hashes to the server he controls by spoofing requests from the server (SSRF attack).

In Russia, today there are 66,499 servers on Apache, according to Shodan, - Albert Antonov, head of the OSINT group of the SOC CyberART Innostage cyber threat response center, told TAdviser readers. - There is no public tool for automated use of this vulnerability (exploit) now. This gives users time to upgrade.

However, how many of the almost 66.5 thousand Apache servers located in Russia work under Windows is not very clear. Web servers are mostly running Linux, for which this vulnerability is not relevant.

The main products here are Nginx, IIS and, in fact, Apache, - Anton Kvardakov, deputy head of the technical protection department of confidential information at Cloud Networks, told TAdviser. - Since IIS is a Microsoft product, it is also being abandoned in the Russian market, replacing it with the leading Nginx and Apache. With this in mind, more and more systems will be exposed to this vulnerability. The ability to execute arbitrary code violates all security criteria (confidentiality, integrity, availability), and can also lead to the spread of malicious code to users' computers.

FSTEC recommends that vulnerable versions be promptly updated by installing fixes provided by the developer on them. If, for some reason, this cannot be done quickly, then it is recommended to at least perform the following actions:

• Use Web Application Layer Firewall (WAF) to limit remote access and exploit the vulnerability.
• Use virtual private networks to organize remote access (VPN) to vulnerable servers.

Exploitation of the BDU:2024-06593 vulnerability can lead to potential control over the server and possible compromise of data by third parties, - Igor Bederov, head of the investigation department at T.Hunter, market expert at NTI SafeNet, said for TAdviser. - Taking into account the risks of using undocumented Apache capabilities by third parties or organizations, as well as the possibility of bookmarking them, it is recommended to use additional protection measures, such as firewalls and VPN networks.

However, a web server is usually installed on the open Internet, and access to it must be open to everyone, so it will be difficult to protect it using a firewall. It may be possible to filter attempts to exploit this vulnerability using WAF, but with an SSRF attack, you need to filter not only incoming requests, but also server responses to eliminate NTLM hash leaks. So the best solution to the problem will still be to install updates that do not have this vulnerability as quickly as possible.

FSTEC warned of a vulnerability that "kills" websites

On April 8, FSTEC sent a warning about a vulnerability BDU:2024-02653^[4] in the implementation of the HTTP/2 protocol in the Apache HTTP Server web server, which allows using a special sequence of packages to disable the web server, that is, to perform a DoS attack on a vulnerable server and make it inaccessible. However, according to the American Information Security Incident Response Center (CERT CC) of the same vulnerability^[5], quite a few implementations of HTTP/2 servers are subject to: Apache Tomcat, Apache Traffic Server, Envoy proxy, Golang, h2 Rust crate, nghttp2, amphp/http, Node.js and Tempesta.

The vulnerability is actually architectural. The fact is that the HTTP/2 protocol allows you to divide a request to the server into several frames (the so-called CONTINUATION frames), the latter of which must contain the END_HEADERS flag. This allows an attacker to make an infinite set of frames without a final flag, which must be processed by the server. In the end, the server's resources for their processing will be exhausted, and the server will fail. The attack was named CONTINUATION Flood. It does not require a large data stream to disable the server, so it is not necessary to use distributed system resources for DDoS attacks.

The vulnerability was discovered by researcher Bartek Novotarski, who reported it to CERT CC on January 25. Only in early April, this vulnerability was officially exposed, and some manufacturers of their web servers promptly released patches for it. And if foreign developers had enough time to develop and test it - CERT usually contacts the manufacturers of the corresponding products when obtaining information about the vulnerability, then the Russians most likely did not have such an opportunity.

𝓲

Netlas.io

The Apache project, in particular, promptly released^[6] fixes] for this error: version 2.4.59 should withstand such an attack. Other manufacturers are also likely to fix such a vulnerability in the near future. If there are no fixes, then FSTEC recommends using intrusion detection and prevention systems that allow you to interrupt the implementation of the CONTINUATION Flood attack (this functionality should be in WAF products), as well as limit the use of the HTTP/2 protocol, that is, temporarily, until the vulnerability is fixed, switch to an older version of HTTP/1.1. However, it is highly likely that the servers with a web interface built into any hardware devices will not be able to be quickly updated or reconfigured, which could lead to their failure.

2023: Apache HTTP Server 2.4.55

On January 20, 2023, it became known that the release was published HTTP-servers Apache 2.4.55, which presented 18 changes and eliminated 3: vulnerabilities

• CVE-2022-37436: An attack to separate HTTP responses in the mod_proxy. The backend controlled by the attacker can truncate the HTTP headers of the response so that the following headers will be in the body of the response (for example, in this way, you can discard the headers associated with security).
• CVE-2022-36760: The mod_proxy_ajp module is susceptible to attacks by the HTTP Request Smuggling class on front-end backend systems, which allow you to wedge into the content of requests from other users processed in the same stream between the front-end and back-end.
• CVE-2006-20001: the ability to write one zero byte to an area outside the buffer boundaries, which is manifested during processing mod_dav a specially designed If: header.

The most notable non-security changes are:

• mod_proxy_http2 is translated into a common mechanism with other proxy modules for processing the type of content of responses coming from backends.
• The mod_proxy_hcheck takes into account the timeout value set for workflows.
• The mod_http2 partially rewritten the code for processing connections and flows. To track the main connection and process I/O for requests and responses, the pollset function from APR (Apache Portable Runtime) is used. The initial and final spaces and tabs in the answer and query header values are removed.
• In mod_proxy_hcheck, hcmethod allows HTTP/1.1 queries using the GET11, HEAD11, and OPTIONS11 methods. Correct verification of AJP/CPING support is provided.
• The mod_authn_core adds support for expressions in AuthName and AuthType.
• The MDStoreLocks directive has been added to the mod_md to block shared storage to ensure that updated certificates are correctly activated while restarting several cluster nodes.
• The mod_heartmonitor allows you to specify the "HeartbeatMaxServers 0" directive to use file storage instead of slotmem.
• The DAVlockDiscovery option has been added to the mod_dav to disable the definition of WebDAV locks^[7].

2012: Apache HTTP Server 2.4

This is the first major update (2012) since 2005, when version 2.2 was released. New features of Apache improve the server's ability to operate in high traffic environments.

Apache is the most popular web server: according to Netcraft, it is used for almost 400 million sites, or 65% of the total. The second place is taken by Microsoft IIS, 14.5%. But perhaps Apache's main competitor is nginx: its share is less than 10%, but over the past month it has received 12,000 new sites, while Apache has lost 18,000.

Many new features of Apache 2.4 repeat similar ones, thanks to which nginx has become popular. The new Apache serves more simultaneous connections and uses less memory. The reverse proxy module allows a single external IP address to be used for multiple servers with frequently changing internal addresses. Timeouts can be set up to milliseconds, resource constraints are also monitored in more detail. Improved caching mechanism for high traffic volumes.

Notes