CVE-2020-11985 Overview
CVE-2020-11985 is an IP address spoofing vulnerability affecting Apache HTTP Server when configured with proxying using mod_remoteip and certain mod_rewrite rules. This vulnerability allows attackers to manipulate the IP address used for logging and PHP scripts, potentially bypassing IP-based access controls, evading forensic analysis, and enabling abuse attribution to innocent parties.
This is notably a retrospectively assigned CVE—the issue was actually fixed in Apache HTTP Server version 2.4.24, but was only formally allocated this CVE identifier in 2020 with a low severity classification.
Critical Impact
Attackers can spoof their IP address to bypass IP-based security controls, manipulate audit logs, and evade attribution in environments using mod_remoteip with mod_rewrite proxy configurations.
Affected Products
- Apache HTTP Server versions prior to 2.4.24
- Configurations using mod_remoteip with proxying enabled
- Systems utilizing specific mod_rewrite rules for request handling
Discovery Timeline
- 2020-08-07 - CVE CVE-2020-11985 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-11985
Vulnerability Analysis
This vulnerability stems from improper verification of client-supplied data in Apache HTTP Server's mod_remoteip module when used in conjunction with mod_rewrite for proxying configurations. The mod_remoteip module is designed to replace the client IP address for logging purposes with the IP address provided by a trusted proxy through headers like X-Forwarded-For.
The flaw occurs when specific mod_rewrite rules are configured that process requests before mod_remoteip can properly validate the source of IP address information. This creates a timing gap where an attacker can inject malicious IP address data that gets accepted by the server as legitimate client identification.
The vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity), indicating that the server fails to adequately verify that IP address information received is from a trusted source before using it for security-relevant decisions.
Root Cause
The root cause lies in the interaction between mod_remoteip and mod_rewrite during request processing. When proxying is configured with certain rewrite rules, the order of module execution allows untrusted client-supplied headers to be processed before proper validation occurs. This enables attackers to inject arbitrary IP addresses through HTTP headers that the server incorrectly treats as originating from a trusted proxy.
The insufficient verification means that:
- The server does not properly validate the source of X-Forwarded-For or similar headers
- Rewrite rules may process requests before IP validation is complete
- PHP scripts and logging mechanisms receive the spoofed IP address as if it were legitimate
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by crafting HTTP requests with manipulated headers targeting servers with the vulnerable configuration.
The attack flow typically involves:
- Identifying a target Apache server using mod_remoteip with mod_rewrite proxy rules
- Crafting HTTP requests with spoofed IP addresses in forwarding headers
- Sending requests that bypass the normal IP validation due to module execution order
- Achieving IP address spoofing in logs and PHP script contexts
Due to the nature of this vulnerability, exploitation is straightforward for attackers with network access to the affected server. The primary impacts include log manipulation, bypassing IP-based access controls, and evading attribution in abuse scenarios.
Detection Methods for CVE-2020-11985
Indicators of Compromise
- Unusual or inconsistent IP addresses appearing in access logs that don't match expected client patterns
- Discrepancies between load balancer logs and Apache access logs for the same requests
- IP addresses from internal/reserved ranges appearing in external request logs
- Multiple requests from different apparent source IPs sharing the same session or authentication tokens
Detection Strategies
- Review Apache configuration files for simultaneous use of mod_remoteip and mod_rewrite with proxy rules
- Audit server version to determine if running Apache HTTP Server versions prior to 2.4.24
- Implement log correlation between front-end proxies and Apache to detect IP address mismatches
- Deploy network monitoring to identify requests with suspicious X-Forwarded-For header patterns
Monitoring Recommendations
- Enable verbose logging for mod_remoteip to capture header processing details
- Implement SIEM rules to detect anomalous IP address patterns in web server logs
- Monitor for requests containing multiple IP addresses in forwarding headers from untrusted sources
- Establish baseline metrics for geographic distribution of client IPs to identify statistical anomalies
How to Mitigate CVE-2020-11985
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.24 or later immediately
- Review and audit all mod_remoteip configurations to ensure proper RemoteIPTrustedProxy directives are set
- Validate that only trusted proxy IP addresses are configured to provide client IP information
- Consider temporarily disabling mod_remoteip if immediate patching is not possible
Patch Information
The vulnerability was fixed in Apache HTTP Server version 2.4.24. Organizations should update to this version or later to remediate the vulnerability. Detailed patch information and security advisories are available from the Apache HTTPD Security Vulnerabilities page.
Additional vendor advisories have been released by:
Workarounds
- Restrict mod_remoteip to only accept IP information from explicitly trusted proxy IP addresses using RemoteIPTrustedProxy directive
- Place mod_remoteip configuration to execute before mod_rewrite rules when possible
- Implement additional validation at the application layer for IP-based security decisions
- Use firewall rules to ensure only legitimate proxy servers can reach the Apache server
# Configuration example - Restricting mod_remoteip to trusted proxies only
# Add to Apache configuration file (httpd.conf or appropriate .conf file)
# Enable mod_remoteip
LoadModule remoteip_module modules/mod_remoteip.so
# Specify the header containing the client IP
RemoteIPHeader X-Forwarded-For
# Define ONLY trusted proxy IP addresses
RemoteIPTrustedProxy 10.0.0.1
RemoteIPTrustedProxy 10.0.0.2
RemoteIPTrustedProxy 192.168.1.0/24
# Internal proxy detection (optional)
RemoteIPInternalProxy 127.0.0.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
