CVE-2024-43394
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows that allows attackers to leak NTLM hashes to malicious servers. The vulnerability occurs when mod_rewrite or Apache expressions pass unvalidated request input that can trigger UNC path requests. It affects Apache HTTP Server versions 2.4.0 through 2.4.63 running on Windows systems.
💻 Affected Systems
- Apache HTTP Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal NTLM hashes from the Apache service account, potentially enabling credential relay attacks, lateral movement, and domain compromise.
Likely Case
NTLM hash leakage to attacker-controlled servers, enabling credential cracking or relay attacks against the Apache service account.
If Mitigated
Limited impact if proper network segmentation and SMB restrictions are in place, preventing connections to malicious servers.
🎯 Exploit Status
Exploitation requires specific mod_rewrite or expression configurations that pass user input to UNC paths. The vulnerability is in how Apache handles these requests on Windows.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.64 or later
Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html
Restart Required: Yes
Instructions:
1. Download Apache HTTP Server 2.4.64 or later from the official Apache website. 2. Stop the Apache service. 3. Backup configuration files. 4. Install the updated version. 5. Restore configurations. 6. Start the Apache service.
🔧 Temporary Workarounds
Restrict SMB Connections
windowsConfigure Windows firewall or network policies to block Apache service from making SMB connections to untrusted hosts.
New-NetFirewallRule -DisplayName "Block Apache SMB" -Direction Outbound -Protocol TCP -RemotePort 445 -Action Block -Program "C:\path\to\httpd.exe"
Disable mod_rewrite or Secure Configurations
allRemove or secure mod_rewrite rules and Apache expressions that pass user input to UNC paths.
Comment out or remove vulnerable RewriteRule directives in httpd.conf or .htaccess files
🧯 If You Can't Patch
- Implement strict network segmentation to prevent Apache servers from accessing untrusted SMB shares.
- Configure Apache to run with a low-privileged service account that has minimal network access.
🔍 How to Verify
Check if Vulnerable:
Check Apache version and verify if running on Windows with mod_rewrite enabled and vulnerable configurations.Check Version:
httpd -vVerify Fix Applied:
Verify Apache version is 2.4.64 or later and test that UNC path requests from user input are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual UNC path requests in Apache access logs (\\server\share patterns)
- Failed SMB connection attempts from Apache process
Network Indicators:
- Outbound SMB (port 445) traffic from Apache servers to unknown IPs
- NTLM authentication attempts to external servers
SIEM Query:
source="apache_access.log" AND (url="*\\\\*" OR url="*%5c%5c*")