CVE-2024-24814
📋 TL;DR
CVE-2024-24814 is a denial-of-service vulnerability in mod_auth_openidc where attackers can send specially crafted cookies with large integer values to cause excessive resource consumption and server unresponsiveness. This affects Apache web servers using mod_auth_openidc for OpenID Connect authentication. The vulnerability requires no authentication and can be exploited with minimal effort.
💻 Affected Systems
- mod_auth_openidc
📦 What is this software?
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete server unresponsiveness leading to service outage for all users, potentially requiring server restart and causing extended downtime.
Likely Case
Temporary performance degradation or intermittent 500 errors affecting user authentication and application availability.
If Mitigated
Minimal impact with proper input validation and resource limits in place.
🎯 Exploit Status
Exploitation requires sending HTTP requests with manipulated mod_auth_openidc_session_chunks cookie values, which can be easily automated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.15.2
Vendor Advisory: https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download mod_auth_openidc version 2.4.15.2 or later. 3. Install the updated module. 4. Restart Apache web server. 5. Verify the new version is active.
🔧 Temporary Workarounds
No official workarounds
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests with suspicious mod_auth_openidc_session_chunks cookie values
- Monitor server resources and implement rate limiting to detect and block DoS attempts
🔍 How to Verify
Check if Vulnerable:
Check if mod_auth_openidc is loaded in Apache configuration and version is below 2.4.15.2Check Version:
httpd -M | grep auth_openidc && grep 'mod_auth_openidc' /path/to/apache/modules/mod_auth_openidc.soVerify Fix Applied:
Verify mod_auth_openidc version is 2.4.15.2 or higher and test with crafted cookie values📡 Detection & Monitoring
Log Indicators:
- HTTP 500 errors with mod_auth_openidc in error logs
- Unusually long request processing times
- High CPU/memory usage spikes
Network Indicators:
- HTTP requests containing mod_auth_openidc_session_chunks cookie with large integer values
- Multiple rapid requests from single IPs
SIEM Query:
source="apache_access" AND (cookie="*mod_auth_openidc_session_chunks=*" AND status=500) OR (response_time>10s)🔗 References
- https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d
- https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
- https://lists.debian.org/debian-lts-announce/2024/03/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7DKVEVREYAI4F46CQAVOTPL75WLOZOE/
- https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d
- https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
- https://lists.debian.org/debian-lts-announce/2024/03/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7DKVEVREYAI4F46CQAVOTPL75WLOZOE/
