CVE-2024-1019
📋 TL;DR
CVE-2024-1019 is a WAF bypass vulnerability in ModSecurity v3 that allows attackers to hide malicious payloads in URL paths by using percent-encoded characters. This bypasses security rules that inspect URL paths, potentially enabling attacks like SQL injection or path traversal against vulnerable backend applications. Affected systems are those running ModSecurity v3.0.0 through 3.0.11 as a web application firewall.
💻 Affected Systems
- ModSecurity
- libModSecurity
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete WAF bypass leading to successful SQL injection, path traversal, or other attacks against backend applications that process URL paths, potentially resulting in data breach, system compromise, or unauthorized access.
Likely Case
Partial WAF bypass allowing some attack payloads to reach backend applications, potentially exploiting vulnerabilities that would normally be blocked.
If Mitigated
Attack payloads are properly detected and blocked by the WAF with no impact to backend systems.
🎯 Exploit Status
Exploitation requires crafting URLs with percent-encoded characters to hide payloads in the path component. Public details exist in advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.12
Vendor Advisory: https://owasp.org/www-project-modsecurity/tab_cves#cve-2024-1019-2024-01-30
Restart Required: Yes
Instructions:
1. Check current ModSecurity version. 2. Download and install ModSecurity 3.0.12 or later from official sources. 3. Restart web server or ModSecurity service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Custom Rule to Detect Percent-Encoded Paths
allAdd a ModSecurity rule to inspect and block suspicious percent-encoded characters in URL paths before processing.
SecRule REQUEST_URI "@rx %[0-9A-Fa-f]{2}" "id:1001,phase:1,deny,msg:'Potential CVE-2024-1019 bypass attempt'"
SecRule REQUEST_URI "@rx %[0-9A-Fa-f]{2}.*%[0-9A-Fa-f]{2}" "id:1002,phase:1,deny,msg:'Multiple percent-encoded chars in path'"
SecRule REQUEST_URI "@rx %[0-9A-Fa-f]{2}[^?]*\?" "id:1003,phase:1,deny,msg:'Percent-encoded char before query string'"
SecRule REQUEST_URI "@rx %[0-9A-Fa-f]{2}[^?]*[?&]" "id:1004,phase:1,deny,msg:'Percent-encoded char near query delimiter'"
🧯 If You Can't Patch
- Implement additional input validation in backend applications to sanitize URL path components before use.
- Deploy a secondary WAF or intrusion prevention system (IPS) in front of ModSecurity to detect bypass attempts.
🔍 How to Verify
Check if Vulnerable:
Check ModSecurity version; if between 3.0.0 and 3.0.11 inclusive, the system is vulnerable.Check Version:
modsecurity -v or check web server configuration/modsecurity.conf for version infoVerify Fix Applied:
Confirm ModSecurity version is 3.0.12 or higher and test with crafted URLs containing percent-encoded characters in paths to ensure they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual percent-encoded characters in URL paths in access logs
- Failed WAF rule matches for path-based attacks
- Increased 400/403 errors for malformed URLs
Network Indicators:
- HTTP requests with percent-encoded characters in path components before query strings
- Repeated requests with varying encoded payloads
SIEM Query:
source="web_access_logs" AND (uri MATCHES "%[0-9A-Fa-f]{2}[^?]*\?" OR uri MATCHES "%[0-9A-Fa-f]{2}.*%[0-9A-Fa-f]{2}")🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/34KDQNZE2RS3CWFG5654LNHKXXDPIW5I/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K6ZGABPJK2JPVH2JDFHZ5LQLWGONUH7V/
- https://owasp.org/www-project-modsecurity/tab_cves#cve-2024-1019-2024-01-30
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/34KDQNZE2RS3CWFG5654LNHKXXDPIW5I/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K6ZGABPJK2JPVH2JDFHZ5LQLWGONUH7V/
- https://owasp.org/www-project-modsecurity/tab_cves#cve-2024-1019-2024-01-30
