CVE-2024-38472 in HTTP Serverinfo

Summary

by MITRE • 07/01/2024

SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue.  Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 01/04/2026

The vulnerability CVE-2024-38472 represents a critical server-side request forgery flaw in the Apache HTTP Server version 2.4.59 and earlier on Windows platforms. This security weakness stems from inadequate validation of Uniform Resource Locator (URL) inputs when processing requests that involve Universal Naming Convention (UNC) paths. The flaw specifically affects Windows deployments where the httpd server processes requests containing UNC paths, creating an opportunity for malicious actors to manipulate the server into making unauthorized network requests to external systems. The vulnerability is particularly concerning because it can potentially expose NTLM authentication hashes to attackers who control the destination server, effectively compromising user authentication credentials.

The technical implementation of this vulnerability occurs when Apache HTTP Server processes requests that contain UNC paths, such as \\server\share\file or similar network resource references. The server fails to properly sanitize or validate these paths before attempting to resolve them, allowing attackers to craft malicious requests that redirect the server's network activity to attacker-controlled endpoints. This misconfiguration enables the exploitation of a server-side request forgery attack vector where the vulnerable server acts as an intermediary, making network requests on behalf of the attacker. The NTLM hash leakage occurs because when the server attempts to resolve the UNC path, it authenticates using the credentials of the user account under which the Apache service is running, potentially exposing these authentication tokens to external servers that can capture and utilize them.

The operational impact of this vulnerability extends beyond simple information disclosure, as it creates a persistent security risk for organizations using Apache HTTP Server on Windows platforms. Attackers who successfully exploit this flaw can potentially escalate their privileges by leveraging captured NTLM hashes to access additional network resources, conduct lateral movement within the network, or even gain access to domain controller systems if the Apache server is running with elevated privileges. The vulnerability is particularly dangerous in enterprise environments where Apache servers often run with high-privilege accounts or have access to sensitive network resources. Organizations may face significant security implications including unauthorized data access, privilege escalation, and potential full network compromise depending on the server's access rights and the network topology.

Mitigation strategies for CVE-2024-38472 primarily involve upgrading to Apache HTTP Server version 2.4.60, which includes patches addressing the SSRF vulnerability and proper validation of UNC paths. Organizations should also implement the new "UNCList" directive introduced in the patched version to explicitly control which UNC paths are allowed during request processing, thereby preventing unauthorized access to network resources. Security teams should conduct comprehensive network monitoring to detect any suspicious outbound connections that might indicate exploitation attempts, while also reviewing existing configurations to ensure they properly restrict access to UNC paths. The implementation of network segmentation, firewall rules, and access control lists can provide additional layers of protection by limiting the Apache server's ability to make unauthorized network requests. Organizations should also consider implementing intrusion detection systems that can identify patterns consistent with SSRF attacks and establish regular security auditing procedures to verify that the patched configurations are properly applied and functioning correctly. This vulnerability aligns with CWE-918 Server-Side Request Forgery (SSRF) and maps to ATT&CK technique T1190 for exploiting vulnerabilities in web applications, highlighting the importance of proper input validation and network access controls in preventing such attacks.

Reservation

06/17/2024

Disclosure

07/01/2024

Moderation

accepted

CPE

ready

EPSS

0.67950

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!