CVE-2024-53868 - Request Smuggling Vulnerability Found in Apache Traffic Server Versions 9.2.-9.2.9 and 10..-10..4

Apache Traffic Server (ATS) is a high-performance web proxy cache that improves network efficiency and performance by caching frequently-accessed information at the edge of the network. This allows users to experience faster response times and reduced latency. However, a recent discovery has exposed a request smuggling vulnerability that affects various ATS versions. In this post, we will delve into the details of CVE-2024-53868, provide code snippets, and identify original references for this discovery, along with information concerning the appropriate response to this vulnerability.

Exploit Details

CVE-2024-53868 is a security vulnerability that affects Apache Traffic Server versions 9.2. through 9.2.9 and 10.. through 10..4. This vulnerability occurs when ATS allows request smuggling if chunked messages are malformed. Request smuggling is a technique used by attackers to send ambiguous HTTP requests that cause discrepancies in the server's interpretation, enabling unauthorized access to protected data or the ability to compromise other users' sessions.

The issue specifically occurs during the processing of HTTP requests with 'Transfer-Encoding: chunked' headers, whose chunk sizes are combined with additional data to form a single "chunk," thereby evading content-length restrictions. This enables an attacker to send multiple requests disguised as a single valid request, making it difficult for the server to identify the threat.

Here's an example of a malicious HTTP request that exploits the vulnerability

POST /path HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

5
test=1


GET /private/resource HTTP/1.1
Host: example.com

The above request indicates a chunked message of size 5, containing the string "test=1". The server would interpret this as usual. However, the subsequent "" and the additional request that follows cause the server to misinterpret the request, thus facilitating request smuggling.

The following resources provide additional information and technical details on CVE-2024-53868

1. Apache Traffic Server Security Advisory: https://archive.apache.org/dist/trafficserver/security/CVE-2024-53868/2024-01-11-01%20-%20CVE-2024-53868%20-%20Apache%20Traffic%20Server.pdf
2. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53868
3. NVD (National Vulnerability Database): https://nvd.nist.gov/vuln/detail/CVE-2024-53868

Recommended Actions

Apache has addressed this request smuggling vulnerability by releasing updated versions of the Traffic Server. Users of ATS versions 9.2. through 9.2.9 and 10.. through 10..4 should immediately upgrade to version 9.2.10 or 10..5, respectively. These updated versions contain a fix that prevents request smuggling by properly validating chunked messages and ensuring that incoming requests are well-formed.

Upgrading to the latest version will ensure that your Apache Traffic Server is protected against this vulnerability, thus preventing possible unauthorized access, session hijacking, or other malicious activities. Make sure to consult the resources provided in the original references for further guidance and context.

Timeline

Published on: 04/03/2025 09:15:15 UTC
Last modified on: 04/18/2025 15:15:53 UTC