Aperçu
Apache HTTP Server versions 2.4.59 and earlier contain a critical URL mapping vulnerability in mod_rewrite caused by improper escaping of special characters. This flaw allows attackers who can control URL input to map URLs to unintended filesystem locations, potentially enabling arbitrary code execution or disclosure of sensitive source code. The vulnerability affects the core URL rewriting mechanism and can bypass intended access controls. La vulnérabilité a été divulguée le July 1, 2024. CISA a identifié CVE-2024-38475 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Apache HTTP Server's mod_rewrite module improperly escapes certain characters when processing URL rewrite rules. This allows attackers to craft malicious URLs that bypass the intended path restrictions and map to arbitrary filesystem locations. The vulnerability stems from insufficient sanitization of user-controlled input in the rewrite engine, which fails to properly neutralize special characters that have meaning in filesystem paths or rewrite directives. An attacker can exploit this to access files outside the intended document root, potentially including application source code, configuration files with credentials, or executable scripts.
La vulnérabilité est classifiée comme CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) , CWE-116 (Improper Encoding or Escaping of Output) etCWE-644 (Improper Restriction of Rendered UI Layers or Frames) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation can lead to: (1) Remote Code Execution - if the attacker maps URLs to executable scripts or can access interpreted files; (2) Source Code Disclosure - accessing .php, .py, .js source files outside intended document root; (3) Configuration File Access - reading database credentials, API keys, and other sensitive configurations; (4) System File Access - potential access to /etc/passwd, /etc/shadow, or other critical system files depending on web server privileges; (5) Bypass of Access Controls - circumventing authentication and authorization mechanisms. The scope change from Unchanged to Changed indicates the vulnerability can affect resources beyond the vulnerable component, potentially compromising the entire system.
Mitigation et contournements
Update Apache HTTP Server to version 2.4.60 or later. For systems using package managers: (1) AlmaLinux/Rocky/RHEL: `dnf update httpd` or `yum update httpd` and restart httpd; (2) Debian/Ubuntu: `apt update && apt upgrade apache2` and restart apache2; (3) Alpine: `apk upgrade apache2` and restart apache2; (4) Manual build: Download and compile httpd 2.4.60+ from https://httpd.apache.org/download.cgi. After updating, verify the version with `httpd -v` and restart the web server. Les versions suivantes incluent les correctifs nécessaires : Apache HTTP Server 2.4.60 and later.
Comme contournements temporaires : disable mod_rewrite if not required by the application. remove or comment out `loadmodule rewrite_module modules/mod_rewrite.so` in httpd.conf and restart the server.; implement strict input validation and filtering at the application level. use web application firewall (waf) rules to block requests containing path traversal sequences (../, .\, etc.) and special characters that could be used to exploit the vulnerability.; restrict filesystem permissions. ensure the apache process runs with minimal privileges and the document root is properly isolated. use chroot jails or containerization to limit filesystem access., et review and simplify mod_rewrite rules. audit all rewriterules and rewriteconds to ensure they properly validate and escape all user-controlled input. remove unnecessary or overly broad rules..
Recommandation de CISA : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
