CVE-2022-28330: Apache HTTP Server 2.4.53 and Earlier on Windows - A Critical Vulnerability in mod_isapi Module

The Apache HTTP Server, colloquially called Apache, is a free and open-source web server software released under the Apache License 2.. It is widely used to host websites and applications on the internet or within private networks. Recently, a critical vulnerability has been discovered in Apache HTTP Server version 2.4.53 and earlier on Windows. This vulnerability, identified as CVE-2022-28330, affects systems that are configured to process requests with the mod_isapi module. In this post, we will delve into the details of this vulnerability, including the root cause, its potential impact, and the steps to mitigate it.

Vulnerability Summary

CVE-2022-28330 affects the mod_isapi module, which is responsible for running Internet Server Application Programming Interface (ISAPI) applications. The vulnerability allows an attacker to remotely exploit a Windows-based Apache server that has the mod_isapi module enabled. When exploited, this vulnerability may lead to out-of-bounds (OOB) read conditions, which could result in the disclosure of sensitive information, denial of service, or even remote code execution.

Original References

The vulnerability has been officially documented by the Apache HTTP Server team in the changelog for version 2.4.54, which addresses this issue. The changelog can be accessed here: https://httpd.apache.org/docs/2.4/changes_24.html

More details about the vulnerability, including its CVSS score and vector, can be found on the NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-28330

Exploit Details

The exploit targets the mod_isapi module's handling of HSE_REQ_SEND_RESPONSE_HEADER_EX requests. When processing these requests, it's possible for the server to read beyond the bounds of allocated memory due to the EX_INFO structure's incorrect size calculation.

The flaw can be triggered by sending a specially crafted request to the vulnerable Apache server. To demonstrate the issue, consider the following code snippet:

/* Incorrect calculation of size causing OOB read */
DWORD size = offsetof(EX_INFO, pszStatus) + strlen(pszStatus) + strlen(pszHeader);

/* ... */

/* Reading beyond bounds */
memcpy(lpEcb->lpvHseContext, &dwOffset, MIN(dwOffset, size));

Here, the size variable incorrectly calculates the size of the EX_INFO structure, which in turn results in memcpy reading beyond the expected bounds. This could result in memory corruption or information disclosure.

Mitigation Measures

To address this vulnerability, the Apache HTTP Server team has released version 2.4.54, which fixes the issue. It is highly recommended to update your Apache server installation to this version or later.

Limit the access to your Apache server by implementing strict firewall rules and IP restrictions

- Monitor your server logs for potential signs of exploitation, such as unexpected crashes or unexplained resource consumption

Conclusion

CVE-2022-28330 is a critical vulnerability that affects Apache HTTP Server versions up to 2.4.53 on Windows. The vulnerability lies within the mod_isapi module and could result in serious consequences like information disclosure or remote code execution if exploited. It's essential to update your Apache HTTP Server to version 2.4.54 or newer and apply the necessary security measures to mitigate the associated risks.

Timeline

Published on: 06/09/2022 17:15:00 UTC
Last modified on: 06/24/2022 16:15:00 UTC