Improving Apache httpd Protections Proactively with Orange Tsai of DEVCORE

The Apache HTTP Server (httpd) has been a highly trafficked web server ever since the early days of the internet. It goes without saying that when vulnerabilities are found within entities of such ubiquity, they must be addressed.

Security researcher Orange Tsai from DEVCORE discovered three types of confusion attack paths within httpd: Filename confusion, documentRoot confusion, and handler confusion. Some of the modules within Apache will treat r->filename as a URL as well as a file path.

One such example is RewriteRule, which is a hefty component of this research. The effects can be as severe as achieving remote code execution (RCE) or accessing any file on the compromised server.

Tsai originally presented his research, including several primitives and thorough analysis of how they could be exploited, at Black Hat USA 2024. The Akamai SIG proactively reached out to Tsai and the DEVCORE team to collaborate, which resulted in preemptive protections for Akamai App & API Protector customers.

We would like to thank Orange Tsai and the DEVCORE team for their trust, willingness to cooperate, and participation in all aspects of this collaboration from request to blog post publication.

The following vulnerabilities were discovered by Tsai and responsibly disclosed to the Apache HTTP Server Project team. One CVE was fixed in httpd version 2.4.59. The rest were fixed in httpd version 2.4.60. 

• CVE-2024-38472 — Apache HTTP Server on Windows UNC SSRF

• CVE-2024-39573 — Apache HTTP Server: mod_rewrite proxy handler substitution

• CVE-2024-38477 — Apache HTTP Server: Crash resulting in denial of service in mod_proxy via a malicious request

• CVE-2024-38476 — Apache HTTP Server may use exploitable/malicious back-end application output to run local handlers via internal redirect

• CVE-2024-38475 — Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path

• CVE-2024-38474 — Apache HTTP Server weakness with encoded question marks in backreferences

• CVE-2024-38473 — Apache HTTP Server proxy encoding problem

• CVE-2023-38709 — Apache HTTP Server: HTTP response splitting

Customers who are using Akamai Adaptive Security Engine in automatic mode and have the Web Protocol and Web Platform attack groups in Deny mode are automatically protected against these vulnerabilities.

Customers who are using Adaptive Security Engine in manual mode should validate that they have Web Protocol and Web Platform attack groups or the following individual rules in Deny mode:

• 951910 v6 — HTTP Response Splitting Attack (Header Injection)

• 3000950 v1 — Apache httpd Server Exploit Attempt Detected (CVE-2024-38475, CVE-2024-38474)

Akamai Adaptive Security Engine is already providing protection against many of these vulnerabilities. However, based on the information shared by Orange Tsai, we have released rule 3000950 to provide our customers with complete protection against these threats.

The most effective defense will always be to promptly apply the patches provided by the vendor. However, we understand that the amount of time and effort that security teams need to identify and safely patch vulnerable software is taxing — and the growing number of applications and fluid environments is making this task even more onerous.

A defense-in-depth strategy remains crucial for protecting an organization's assets from an ever-increasing number of threats. Attackers are quick to incorporate public proofs of concept into their attack toolsets, which increases the challenge for defenders. 

Implementing a web application firewall, such as Akamai App & API Protector, can add an additional layer of defense, protect against newly discovered CVEs, and provide an extra buffer of security.