The Apache Foundation announced on March 7, 2023, that they had addressed CVE-2023-25690 in Apache HTTP Server 2.4.56. The fix, implemented on March 5, prevents control characters from being included in a proxied request. This vulnerability had a CVSS score of 9.8 because it had the potential to bypass access controls. Before a researcher released a proof of concept on May 21, 2023, the problem seemed to go mostly unnoticed.
What is the CVE-2023-25690 Vulnerability?
Certain configurations of mod_proxy in Apache HTTP Server versions 2.4.0 through 2.4.55 can be exploited for an HTTP Request Smuggling attack.
HTTP Request Smuggling is a sophisticated attack method that leverages inconsistencies in the processing of HTTP requests by various web infrastructure components. Attackers employ this technique to manipulate the interpretation of requests, leading to security measures being bypassed, unauthorized injection of malicious payloads, potential access to sensitive data, or even remote command execution.
This vulnerability occurs when mod_proxy is enabled alongside RewriteRule or ProxyPassMatch, where a non-specific pattern matches a portion of the user-supplied request-target (URL) data and is subsequently inserted into the proxied request-target using variable substitution. An example could be:
RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?param=$1"; [P]
As a result, request splitting or smuggling may occur, leading to the potential bypass of access controls on the proxy server, unintentional proxying of URLs to existing origin servers, and cache poisoning.
Proof of Concept Highlights Exploitation of CVE-2023-25690
The Apache HTTP Server vulnerability gained attention when a researcher, dhmosfunk, published a proof of concept. The proof of concept demonstrated how this vulnerability could be exploited for header-injection and request-smuggling attacks on a hypothetical vulnerable application. However, to be affected by this vulnerability, several conditions must be met:
- The configuration of the Apache server must include a RewriteRule that copies data into the query string of a proxied URL.
- The application must consider the proxy as a significant security boundary.
- The application must operate on a susceptible Apache HTTP Server version (2.4.55 or earlier).
Shodan’s data indicates that over 6 million servers could be susceptible to this vulnerability.
To mitigate the CVE-2023-25690 vulnerability, it is strongly recommended to update to Apache version 2.4.56 or later, especially if your services rely on RewriteRule entries.
Enhancing Vulnerability Management and Attack Surface Monitoring with SOCRadar
SOCRadar’s Vulnerability Intelligence can assist you in better managing vulnerability issues and prioritizing patches; you can search for and view detailed information about vulnerabilities on the platform.
Additionally, SOCRadar’s External Attack Surface Management (EASM) functionality helps identify your digital assets and promptly notifies you of any emerging threats or potential issues.