CVE-2024-40898 – This vulnerability in Apache HTTP Server on Win... (How to Fix)

Q: What is the severity of CVE-2024-40898?

CVE-2024-40898 has a CVSS score of 7.5 (HIGH). This vulnerability in Apache HTTP Server on Windows allows attackers to perform Server-Side Request Forgery (SSRF) attacks when mod_rewrite is configured in server or virtual host contexts. Successful exploitation could leak Windows NTLM authentication hashes to malicious servers. Only Apache HTTP Server installations on Windows with mod_rewrite enabled are affected.

📋 TL;DR

This vulnerability in Apache HTTP Server on Windows allows attackers to perform Server-Side Request Forgery (SSRF) attacks when mod_rewrite is configured in server or virtual host contexts. Successful exploitation could leak Windows NTLM authentication hashes to malicious servers. Only Apache HTTP Server installations on Windows with mod_rewrite enabled are affected.

💻 Affected Systems

Products:

Apache HTTP Server

Versions: Versions before 2.4.62

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Requires mod_rewrite enabled in server or virtual host context; Linux/Unix systems are NOT affected.

📦 What is this software?

Http Server by Apache

View all CVEs affecting Http Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal NTLM hashes from the Apache server process, potentially enabling credential relay attacks, lateral movement within Windows domains, or full domain compromise.

🟠

Likely Case

Attackers capture NTLM hashes from the Apache service account, potentially gaining access to resources accessible by that account.

🟢

If Mitigated

With proper network segmentation and NTLM restrictions, impact limited to service account compromise without domain-wide effects.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities are commonly exploited; NTLM hash theft is a known attack pattern with available tooling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.62

Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html

Restart Required: Yes

Instructions:

1. Download Apache HTTP Server 2.4.62 from official mirrors. 2. Stop Apache service. 3. Backup configuration files. 4. Install new version. 5. Restore configurations. 6. Start Apache service.

🔧 Temporary Workarounds

Disable mod_rewrite

windows

Remove or comment out mod_rewrite module loading if not required

# In httpd.conf, comment out: LoadModule rewrite_module modules/mod_rewrite.so

Restrict mod_rewrite rules

windows

Limit mod_rewrite rules to prevent external URL proxying

# In rewrite rules, avoid Proxy flag with external URLs

🧯 If You Can't Patch

Implement strict outbound firewall rules to block Apache server from connecting to untrusted external systems
Configure Windows to require NTLMv2 and disable NTLMv1, or implement Extended Protection for Authentication

🔍 How to Verify

Check if Vulnerable:

Check if running Apache on Windows with mod_rewrite enabled and version < 2.4.62

Check Version:

httpd -v

Verify Fix Applied:

Confirm Apache version is 2.4.62 or later and mod_rewrite configuration doesn't proxy to external URLs

📡 Detection & Monitoring

Log Indicators:

Unusual outbound connections from Apache process
mod_rewrite rules triggering with external URLs
Failed authentication attempts following unusual requests

Network Indicators:

Apache server making unexpected outbound SMB or HTTP requests
NTLM authentication traffic to unexpected destinations

SIEM Query:

source="apache" AND (url="*://external-domain*" OR dest_ip NOT IN [allowed_ips])

📊 Metadata

CVE ID: CVE-2024-40898

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-918

Published: July 18, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40898, you might also want to check these: