CVE-2021-40438 | Apache redux: preventing Server Side Request Forgery

[King]

CVE-2021-40438 | Apache redux: preventing Server Side Request Forgery

Apache redux: preventing Server Side Request Forgery via CVE-2021-40438​

What you need to know:

• This vulnerability in Apache HTTP Server (httpd) version 2.4.48 can result in Server Side Request Forgery and can be exploited remotely if a specific module is enabled (mod_proxy).
• There is already a patch available in version 2.4.51 and cloud-hosted Apache HTTP server instances are safe (if relatively up to date).
• Our next-gen WAF customers are protected from this vulnerability by a templated rule.

CVE-2021-40438 is a Server Side Request Forgery (SSRF) vulnerability in Apache HTTP Server version 2.4.48 and earlier. By sending a specially crafted request, attackers can force the mod_proxy module (if enabled) to route connections to an origin server of their choice — thereby allowing attackers to exfiltrate secrets (like infrastructure metadata or keys) or access other internal servers (which may be less protected than externally facing ones).

What’s the impact​

This vulnerability impacts Apache HTTP Server (aka httpd) version 2.4.48 and versions earlier than 2.4.48. However, the mod_proxy module must be enabled for the server to be vulnerable — so attackers must find servers matching those specific conditions to exploit the vulnerability.
Unfortunately, data from Shodan suggests that there are more than 500,000 servers matching this version, making it likely that attackers could find some fertile ground for leveraging this vulnerability in their attacks.

Why it’s interesting​

As an attack method, SSRF (which...

Read more

Continue reading...