CVE-2024-38472
Published: 01 July 2024
Summary
CVE-2024-38472 is a high-severity SSRF (CWE-918) vulnerability in Apache Http Server. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-38472 is a server-side request forgery vulnerability in Apache HTTP Server on Windows that can be triggered through malicious requests or content. The flaw, assigned CWE-918, affects the server's handling of UNC paths and allows an attacker-controlled destination to receive NTLM authentication material. It is rated 7.5 under CVSS 3.1 with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue is resolved in version 2.4.60.
An unauthenticated remote attacker can supply crafted input that causes the server to initiate an outbound request to an attacker-controlled system. When the server attempts to access a UNC path during request processing, the resulting NTLM hash material can be captured by the malicious endpoint, resulting in disclosure of sensitive Windows credentials without any user interaction.
Advisories from the Apache project and NetApp recommend upgrading to 2.4.60. Administrators whose configurations rely on UNC paths must also define the new "UNCList" directive to explicitly permit the required access after the upgrade; otherwise such paths will be blocked.
The EPSS score has remained near its observed peak of 0.9167 with a current value of 0.9067.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37353
Vulnerability details
SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that…
more
access UNC paths will have to configure new directive "UNCList" to allow access during request processing.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.