CVE-2024-23771 – This vulnerability in darkhttpd allows remote a... (How to Fix)

Q: What is the severity of CVE-2024-23771?

CVE-2024-23771 has a CVSS score of 9.8 (CRITICAL). This vulnerability in darkhttpd allows remote attackers to bypass authentication via timing side-channel attacks. The web server uses non-constant-time string comparison (strcmp) for password verification, enabling attackers to guess credentials by measuring response times. Anyone running darkhttpd versions before 1.15 with authentication enabled is affected.

📋 TL;DR

This vulnerability in darkhttpd allows remote attackers to bypass authentication via timing side-channel attacks. The web server uses non-constant-time string comparison (strcmp) for password verification, enabling attackers to guess credentials by measuring response times. Anyone running darkhttpd versions before 1.15 with authentication enabled is affected.

💻 Affected Systems

Products:

darkhttpd

Versions: All versions before 1.15

Operating Systems: Linux, Unix-like systems, Windows (if compiled)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when authentication is configured (using .htpasswd files). Default installations without authentication are not affected.

📦 What is this software?

Darkhttpd by Unix4lyfe

View all CVEs affecting Darkhttpd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing unauthorized access to protected resources, potentially leading to data theft, privilege escalation, or further system compromise.

🟠

Likely Case

Authentication bypass enabling unauthorized access to protected web content and resources served by darkhttpd.

🟢

If Mitigated

Limited impact with proper network segmentation and additional authentication layers, though the vulnerability still exists.

🌐 Internet-Facing: HIGH - Internet-facing darkhttpd instances with authentication are directly exploitable by remote attackers.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require network access; risk depends on internal threat models.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires timing measurements and multiple requests, but tools exist for timing attacks. The vulnerability is well-documented with proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.15

Vendor Advisory: https://github.com/emikulic/darkhttpd/commit/f477619d49f3c4de9ad59bd194265a48ddc03f04

Restart Required: Yes

Instructions:

1. Download darkhttpd 1.15 or later from GitHub. 2. Compile the new version. 3. Replace the existing darkhttpd binary. 4. Restart the darkhttpd service.

🔧 Temporary Workarounds

Disable Authentication

all

Remove authentication requirements if not strictly necessary

Remove or rename .htpasswd files
Remove Auth directives from configuration

Use Reverse Proxy with Secure Auth

linux

Place darkhttpd behind a reverse proxy (nginx, Apache) that handles authentication securely

Configure nginx/apache as reverse proxy with auth
Disable darkhttpd authentication

🧯 If You Can't Patch

Implement network-level controls to restrict access to darkhttpd instances
Add additional authentication layer (VPN, IP whitelisting, application firewall)

🔍 How to Verify

Check if Vulnerable:

Check darkhttpd version with 'darkhttpd --version' or examine binary timestamp against release dates. Check if authentication is configured by looking for .htpasswd files or Auth directives.

Check Version:

darkhttpd --version

Verify Fix Applied:

Verify version is 1.15 or later. Check that the binary includes the constant-time comparison fix by examining the commit or build.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts with varying response times
Successful authentication after many attempts
Unusual timing patterns in access logs

Network Indicators:

Repeated authentication requests to protected endpoints
Traffic patterns suggesting timing measurements

SIEM Query:

source="darkhttpd" AND (event="AUTH_FAILED" OR status=401) | stats count by src_ip, uri | where count > 100

📊 Metadata

CVE ID: CVE-2024-23771

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-203

Published: January 22, 2024

Last Updated: May 30, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/01/25/1 Mailing List,Third Party Advisory
https://github.com/emikulic/darkhttpd/commit/f477619d49f3c4de9ad59bd194265a48ddc03f04 Patch
https://github.com/emikulic/darkhttpd/compare/v1.14...v1.15 Product
http://www.openwall.com/lists/oss-security/2024/01/25/1 Mailing List,Third Party Advisory
https://github.com/emikulic/darkhttpd/commit/f477619d49f3c4de9ad59bd194265a48ddc03f04 Patch
https://github.com/emikulic/darkhttpd/compare/v1.14...v1.15 Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23771, you might also want to check these: