CISA Warns of Apache HTTP Server Escape Vulnerability Exploited in the Wild
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-38475, a critical vulnerability affecting Apache HTTP Server, to its Known Exploited Vulnerabilities (KEV) catalog.
This vulnerability allows attackers to map URLs to unintended filesystem locations, potentially leading to code execution or source code disclosure.
Organizations are required to implement mitigations by May 22, 2025, under CISA’s binding operational directive.
Apache mod_rewrite Vulnerability – CVE-2024-38475
CVE-2024-38475 stems from improper escaping of output in Apache HTTP Server’s mod_rewrite module affecting versions 2.4.59 and earlier.
The vulnerability, which received a CVSS score of 9.1, allows attackers to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally accessible through any URL. This can result in arbitrary code execution or source code disclosure.
“The root cause of this vulnerability occurs during the truncation phase, due to the fact that r->filename is treated as a URL path rather than a filesystem path,” explains security researchers at Watchtowr Labs, who analyzed the exploit.
The vulnerability specifically affects “substitutions in server context that use backreferences or variables as the first segment of the substitution”.
The exploitation technique leverages a filename confusion vulnerability that allows abuse of the question mark (%3F) symbol to truncate the final constructed path.
When successfully exploited, attackers can access sensitive system files that would normally be protected.
Risk Factors Details Affected ProductsApache HTTP Server 2.4.59 and earlierImpactCode execution or source code disclosure via mod_rewriteExploit PrerequisitesNo authentication required; attacker can send crafted requests over the network, Requires mod_rewrite enabledCVSS 3.1 Score9.1 (Critical)
Mitigations
CISA recommends organizations take immediate action:
Organizations using the affected appliances should implement micro-segmentation and zero-trust isolation projects to minimize potential lateral movement.
In the Apache configuration, affected rules may use the new rewrite flag “UnsafePrefixStat” to opt back into previous behavior, but only after ensuring the substitution is appropriately constrained.
CISA has classified this vulnerability as affecting “a common open-source component, third-party library, or a protocol used by different products” and advises organizations to check with specific vendors for patching information.
Organizations should prioritize this vulnerability in their remediation efforts, as active exploitation continues across multiple sectors.
#Apache #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
CISA Warns of Apache HTTP Server Escape Vulnerability Exploited in the Wild
Author: KaaviyaThe Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-38475, a critical vulnerability affecting Apache HTTP Server, to its Known Exploited Vulnerabilities (KEV) catalog.
This vulnerability allows attackers to map URLs to unintended filesystem locations, potentially leading to code execution or source code disclosure.
Organizations are required to implement mitigations by May 22, 2025, under CISA’s binding operational directive.
Apache mod_rewrite Vulnerability – CVE-2024-38475
CVE-2024-38475 stems from improper escaping of output in Apache HTTP Server’s mod_rewrite module affecting versions 2.4.59 and earlier.
The vulnerability, which received a CVSS score of 9.1, allows attackers to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally accessible through any URL. This can result in arbitrary code execution or source code disclosure.
“The root cause of this vulnerability occurs during the truncation phase, due to the fact that r->filename is treated as a URL path rather than a filesystem path,” explains security researchers at Watchtowr Labs, who analyzed the exploit.
The vulnerability specifically affects “substitutions in server context that use backreferences or variables as the first segment of the substitution”.
The exploitation technique leverages a filename confusion vulnerability that allows abuse of the question mark (%3F) symbol to truncate the final constructed path.
When successfully exploited, attackers can access sensitive system files that would normally be protected.
Risk Factors Details Affected ProductsApache HTTP Server 2.4.59 and earlierImpactCode execution or source code disclosure via mod_rewriteExploit PrerequisitesNo authentication required; attacker can send crafted requests over the network, Requires mod_rewrite enabledCVSS 3.1 Score9.1 (Critical)
Mitigations
CISA recommends organizations take immediate action:
- Upgrade to Apache HTTP Server version 2.4.60 or later, which contains the fix for this vulnerability.
- Review and modify affected RewriteRules to ensure substitutions are appropriately constrained if immediate patching isn’t possible.
- For SonicWall SMA users, immediately patch devices and review logs for unauthorized access.
Organizations using the affected appliances should implement micro-segmentation and zero-trust isolation projects to minimize potential lateral movement.
In the Apache configuration, affected rules may use the new rewrite flag “UnsafePrefixStat” to opt back into previous behavior, but only after ensuring the substitution is appropriately constrained.
CISA has classified this vulnerability as affecting “a common open-source component, third-party library, or a protocol used by different products” and advises organizations to check with specific vendors for patching information.
Organizations should prioritize this vulnerability in their remediation efforts, as active exploitation continues across multiple sectors.
#Apache #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
