Skip to content
Join Censys on September 10, 2024 for our Threat Hunting Workshop in San Francisco, CA | Register Now
Advisory

July 23, 2024 Advisory: Vulnerability in Apache HTTP Server [CVE-2024-40725 & CVE-2024-40898]

Share

July 23, 2024
Tags:
  • Date Published: July 23rd, 2024
  • CVE-ID: CVE-2024-40725 & CVE-2024-40898
  • Issue Name and Description: Apache HTTP Server Flaws
    Two vulnerabilities, CVE-2024-40725 and CVE-2024-40898, have been identified in Apache HTTP Server versions 2.4.0 to 2.4.61. These flaws could allow an attacker to perform HTTP Request Smuggling attacks or bypass SSL client authentication, potentially leading to unauthorized access to protected resources.
  • Asset Description: The affected assets are Apache HTTP Servers, which are widely used web servers that power many websites and online applications around the world. They run on various operating systems, including Linux-based and Windows platforms.
  • Vulnerability Impact:
    • If this vulnerability is successfully exploited, a threat actor could gain unauthorized access to protected resources, potentially leading to information disclosure, data theft, or system intrusion.
    • An attacker could also exploit the vulnerabilities to perform further attacks such as session hijacking, cross-site scripting (XSS), or command injection.
  • Exploitation Details:
    • As of now, there is no known active exploitation of these vulnerabilities; however, the ease of exploitation and potential impact make them a high priority for patching.
    • Exploiting these flaws requires some technical expertise but is not extremely difficult. A proof-of-concept (PoC) exploit code has been made available, but no instances of real-world exploitation have been reported.
    • The vulnerabilities can be exploited by sending specially crafted HTTP requests or SSL requests to the affected Apache HTTP Server versions 2.4.0 to 2.4.61.
  • Patch Availability:
    • The vendors have released patches for both vulnerabilities; users are advised to upgrade Apache HTTP Server to version 2.4.62 or later to fix this vulnerability.
    • In addition, users should review and update their SSL configurations to ensure proper use of the SSLVerifyClient directive and avoid authentication bypass risks.
  • Detection with Censys: The following queries can be leveraged to identify all Censys-visible public-facing Apache HTTP Server instances that may potentially be vulnerable to either CVE-2024-40725 or CVE-2024-40898. However the ASM Risk query only covers CVE-2024-40725.
    • Censys Search query: services.software: (vendor: “Apache” and product: “HTTPD” and version: [2.4.0 to 2.4.61])
    • Censys ASM query: host.services.software: (vendor: “Apache” and product: “HTTPD” and version: [2.4.0 to 2.4.61]) or web_entity.instances.software: (vendor: “Apache” and product: “HTTPD” and version: [2.4.0 to 2.4.61])
    • Censys ASM Risk query: risks.name=”Vulnerable Apache HTTP Server [CVE-2024-40725]”
  • References:

Similar Content

View All Similar Content
Back to Resources Hub
Attack Surface Management Solutions
Learn more