Threat Watch

Apache HTTP Server 2.4.52 HTTP Request Smuggling Vulnerability (CVE-2022-22720)

A vulnerability in Apache 2.4.52 was discovered by James Kettle, Director of Research at PortSwigger, that could allow attackers to potentially perform HTTP Request Smuggling against backend web applications. The issue arises from the way that Apache versions 2.4.52 and earlier fail to close inbound connections when errors are encountered discarding the HTTP request body.

HTTP Request Smuggling is an exploit that abuses the potential inconsistencies in how a front-end HTTP-enabled firewall, or a front-end proxy/load balancer and a back-end web server, interpret the Content-Length and Transfer-Encoding HTTP headers. Both headers are used to specify the length of the HTTP request, and an RFC compliant HTTP request may only include one or the other. Request smuggling can occur when an HTTP request is customized to send both headers. This can lead to the front-end or back-end servers incorrectly interpreting the request, allowing a malicious HTTP query to pass through.

HTTP Request Smuggling allows for numerous types of malicious activity:

⦁          Security filter bypass – Since this attack involves passing a malicious query directly to a back-end web server, front-end security filters may be ignored, allowing sensitive information to be exposed.

⦁          Web cache poisoning – If the front-end or middleware that separates the attacker from the back-end web server are configured as caching servers, an attacker abusing request smuggling could potentially poison the cache with invalid responses entries. If the attack succeeds, future requests could return the malicious query to other users, redirecting a user to a malicious website.

⦁          Client authentication bypass/hijacking – If an attacker is able to intercept legitimate end-user queries, they can append the end-user’s query to their own malicious query and present it to a front-end proxy using the same connection. If a web server is vulnerable to request smuggling, the request could be treated as a single request. This can allow an attacker to hijack the end-user’s valid sessions, cookies, and/or other HTTP authentication details in order to perform malicious actions as a privileged user. This activity is more difficult to achieve but presents a considerable threat.

ANALYST NOTES

The remediation status of various mainstream operating systems (OS) are as follows (see sources for details):
• Ubuntu: All versions have patches released.
• Debian: Most versions vulnerable.
• Red Hat: All versions vulnerable.
• NetApp: All versions vulnerable.

While patches have yet to be released for some major OS versions, there are still effective prevention methods for HTTP Request Smuggling including:

• Use HTTP/2 end to end, with HTTP downgrade disabled if possible.
• If HTTP downgrading cannot be avoided, be sure to validate rewritten requests against HTTP/1.1. Validation may include rejecting requests that contain newline characters in the header, header names with colons, and any request methods that contain spaces.
• Implement normalization of HTTP requests on front-end servers and reject any abnormal requests that make it to the back-end, closing connections during the process.

https://httpd.apache.org/security/vulnerabilities_24.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22720

https://access.redhat.com/security/cve/cve-2022-22720

https://security-tracker.debian.org/tracker/CVE-2022-22720

https://ubuntu.com/security/CVE-2022-22720

https://security.netapp.com/advisory/ntap-20220321-0001/