Exploit
CVE-2023-25690

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (CWE-444)

Published: Mar 7, 2023 / Updated: 20mo ago

010
CVSS 9.8EPSS 4.4%Critical
CVE info copied to clipboard

Summary

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.

Impact

Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. This vulnerability has a CVSS v3.1 base score of 9.8 (Critical), with High impacts on Confidentiality, Integrity, and Availability. The attack vector is Network-based, requires Low attack complexity, No privileges, and No user interaction.

Exploitation

Multiple proof-of-concept exploits are available on github.com, github.com, github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.

Mitigation

Update Apache HTTP Server to version 2.4.56 or later. If immediate updating is not possible, review and modify any configurations using mod_proxy with RewriteRule or ProxyPassMatch that match user-supplied URL data and reinsert it into proxied requests. Consider implementing additional access controls and monitoring for suspicious proxy server activities.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2023-25690. See article

Mar 7, 2023 at 1:20 PM / www.mail-archive.com
EPSS

EPSS Score was set to: 4.4% (Percentile: 91.4%)

Sep 20, 2023 at 9:46 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (503859)

Jan 4, 2024 at 12:00 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (187757)

Jan 9, 2024 at 10:15 AM
Threat Intelligence Report

The vulnerability CVE-2023-25690 is critical with a CVSS v3 base score of 9.8. It allows remote attackers to execute arbitrary code and gain full control over the affected system. There are no known proof-of-concept exploits, but it is recommended to apply patches or mitigations to prevent exploitation. The impact may extend to third-party vendors or technologies that rely on the affected system. See article

Feb 15, 2024 at 6:30 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380719)

Oct 16, 2024 at 7:53 AM
Exploitation in the Wild

Attacks in the wild have been reported by inthewild.io. See article

Nov 11, 2024 at 6:05 AM / inthewild.io
Static CVE Timeline Graph

Affected Systems

Apache/http_server
+null more

Exploits

https://github.com/dhmosfunk/CVE-2023-25690-POC
+null more

Patches

Oracle
+null more

Attack Patterns

CAPEC-33: HTTP Request Smuggling
+null more

Vendor Advisory

Oracle Critical Patch Update Advisory - October 2023
This Critical Patch Update contains 10 new security patches, plus additional third party patches noted below, for Oracle Database Products. Component : Install/Upgrade (Spring Security)

References

Apache HTTP Server 2.4 vulnerabilities
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service
Multi-Stage Malware Attack Exploiting Bing Search Engine: Analyzing Attack IP Addresses and Domains with Threat Hunting Tools
In this article, we will explore how the malware leverages Bing search results and uses threat hunting tools to analyze the IP addresses and domains involved in the attack. This multi-stage malware attack involves distributing malicious files, executing installers, connecting to C2 domains, and downloading and inserting backdoors to carry out attacks such as remote control, data theft, and the delivery of additional payloads.
Andariel: North Korean APT Group Targets Military and Nuclear Programs
The North Korean APT group utilizes a range of tactics, including spear phishing and vulnerability exploitation against web servers to infiltrate targeted organizations. Andariel Threat Group Campaign Backdoor Malware Email Threat
See 8 more references

News

Oracle Linux 9 : httpd (ELSA-2024-9306)
Nessus Plugin ID 211533 with High Severity Synopsis The remote Oracle Linux host is missing one or more security updates. Description The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-9306 advisory. - Resolves: RHEL-52724 - Regression introduced by CVE-2024-38474 fix - Resolves: RHEL-31856 - httpd: HTTP response splitting (CVE-2023-38709) - Resolves: RHEL-31859 - httpd: HTTP Response Splitting in multiple modules (CVE-2024-24795) - Resolves: RHEL-14447 - httpd: mod_macro:
Zimbra Security Advisories
10.1.3 lebr0nli (Alan Li) An XSS vulnerability in the /h/rest endpoint, which allows authorized remote attackers to exploit it using their valid auth tokens, has been fixed to prevent arbitrary JavaScript execution. 8.8.15 Patch 46 lebr0nli (Alan Li) A Cross-Site Scripting (XSS) issue that allowed an attacker to inject and execute malicious code via email account configurations has been resolved.
Zimbra Security Advisories revision 70804
10.1.3 lebr0nli (Alan Li) An XSS vulnerability in the /h/rest endpoint, which allows authorized remote attackers to exploit it using their valid auth tokens, has been fixed to prevent arbitrary JavaScript execution. 8.8.15 Patch 46 lebr0nli (Alan Li) A Cross-Site Scripting (XSS) issue that allowed an attacker to inject and execute malicious code via email account configurations has been resolved.
Zimbra Security Advisories
Patch Version Reporter An XSS vulnerability in the /h/rest endpoint, which allows authorized remote attackers to exploit it using their valid auth tokens, has been fixed to prevent arbitrary JavaScript execution. 8.8.15 Patch 46 lebr0nli (Alan Li) A Cross-Site Scripting (XSS) issue that allowed an attacker to inject and execute malicious code via email account configurations has been resolved.
Zimbra Security Advisories revision 70801
Patch Version Reporter An XSS vulnerability in the /h/rest endpoint, which allows authorized remote attackers to exploit it using their valid auth tokens, has been fixed to prevent arbitrary JavaScript execution. 8.8.15 Patch 46 lebr0nli (Alan Li) A Cross-Site Scripting (XSS) issue that allowed an attacker to inject and execute malicious code via email account configurations has been resolved.
See 440 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI