CVE-2024-11148
📋 TL;DR
This vulnerability allows remote attackers to cause a denial-of-service (DoS) by sending a malformed FastCGI request to OpenBSD's httpd server. The NULL pointer dereference causes the httpd process to crash, disrupting web services. Affected systems are OpenBSD servers running vulnerable versions of httpd with FastCGI enabled.
💻 Affected Systems
- OpenBSD httpd
📦 What is this software?
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of the httpd web server, requiring manual restart and potentially affecting availability of hosted applications.
Likely Case
Intermittent httpd crashes leading to service interruptions and degraded web application availability.
If Mitigated
Limited impact with proper monitoring and automated restart mechanisms in place.
🎯 Exploit Status
Exploitation requires sending a specifically crafted FastCGI request to a vulnerable httpd instance.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenBSD 7.3 errata 020, OpenBSD 7.4 errata 006
Vendor Advisory: https://ftp.openbsd.org/pub/OpenBSD/patches/
Restart Required: Yes
Instructions:
1. Download the appropriate patch from OpenBSD's patch repository. 2. Apply the patch using 'patch -p0 < patch_file'. 3. Rebuild and reinstall httpd. 4. Restart the httpd service.
🔧 Temporary Workarounds
Disable FastCGI
allTemporarily disable FastCGI functionality in httpd configuration if not required.
Edit /etc/httpd.conf and remove or comment out FastCGI directives
Restart httpd: rcctl restart httpd
🧯 If You Can't Patch
- Implement network filtering to block FastCGI requests from untrusted sources.
- Deploy a reverse proxy or WAF in front of vulnerable httpd instances to filter malicious requests.
🔍 How to Verify
Check if Vulnerable:
Check OpenBSD version and installed patches: sysctl kern.versionCheck Version:
sysctl kern.versionVerify Fix Applied:
Verify patch is applied by checking httpd version and confirming errata level matches or exceeds required versions.📡 Detection & Monitoring
Log Indicators:
- httpd process crashes in system logs
- Segmentation fault errors in httpd logs
- Unexpected httpd restarts
Network Indicators:
- Malformed FastCGI requests to httpd ports
- Unusual traffic patterns to FastCGI endpoints
SIEM Query:
source="httpd" AND ("segmentation fault" OR "crash" OR "SIGSEGV")