CVE-2021-40438

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Recent assessments:

gwillcox-r7 at November 29, 2021 4:33pm UTC reported:

This is an interesting bug that allows one to exploit a bug in the mod_proxy add on module of Apache HTTP server 2.4.48 and earlier to perform a server side request forgery (SSRF) attack and force the server to make requests on the attacker’s behalf. It was discovered by the Apache HTTP security team whilst analyzing CVE-2021-36160.

This is already being exploited in the wild as noted at <https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-270312-10F2.pdf&gt; with evidence that in at least one case, attackers were able to obtain hash values of user credentials from victim systems via this attack.

There is also evidence that this might affect Cisco products that bundle Apache HTTP Servers with them as noted at <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ&gt; however investigation is still ongoing on this matter by Cisco at the time of writing, with the only product confirmed as not being vulnerable listed as Cisco Virtual Topology System.

In general SSRF vulnerabilities are very valuable to attackers as they not only allow access to the internal network of a target, but they can disguise their requests as coming from a legitimate web server that the network trusts. This often means that there is more trust placed in these requests which sometimes means less security checks are placed on them.

It is also important to note that whilst this vulnerability does require the mod_proxy module to be loaded, this is an very common module for most servers and so it is likely to be loaded, increasing the likelihood that an outdated Apache server is vulnerable to this attack.

In short, this bug is being exploited in the wild, allows unauthenticated attackers a way to make trusted requests to internal endpoints, and has been used to steal hashed credentials in a real world attack. Whilst true impact will likely depend on the way the target network is configured and what vulnerabilities are on the systems accessible via the target web server, this vulnerability alone is already providing attackers a lot more insight into a target network through a very common server setup, and therefore should be patched as soon as possible.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 4