A new server-side request forgery (SSRF) vulnerability, CVE-2021-40438, may be exploited against httpd web servers with the mod_proxy module installed. An attacker can take advantage of this severe weakness by sending an adequately crafted request to the module, which will cause the request to be sent to an arbitrary origin server.
The flaw was discovered by the Apache HTTP security team when they were looking at another vulnerability. It impacts version 2.4.48 and earlier, and was fixed in mid-September with the release of version 2.4.49.
According to a blog post by Fastly, attackers can compel the mod_proxy module (if enabled) to route connections to an origin server of their choice by delivering a carefully crafted request. As a result, attackers can steal secrets (such as infrastructure information or keys) or get access to other internal systems (which may be less protected than those exposed to the outside).
Fastly reported that over 500,000 servers were running vulnerable versions of httpd, but the company pointed out that cloud services like AWS, Microsoft Azure, and Google Cloud Platform offered protection against such attacks, implying that the flaw primarily affects organizations running httpd servers through their own.
The effect of five Apache HTTP Server vulnerabilities on Cisco’s products is described in the advisory. Prime Collaboration Provisioning, Security Manager, Expressway series, and TelePresence Video Communication Server products have been verified as vulnerable, while many more are currently being investigated. Cisco’s Product Security Incident Response Team (PSIRT) became aware of the “exploitation efforts” of CVE-2021-40438 earlier this month.
According to a security advisory published by Germany’s BSI last week, at least one example has been identified in which an attacker leveraged this weakness to extract hash values of user credentials from a targeted machine.