CVE-2021-32785 Overview
CVE-2021-32785 is a format string vulnerability affecting mod_auth_openidc, an authentication and authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party. When configured to use an unencrypted Redis cache with specific settings (OIDCCacheEncrypt off, OIDCSessionType server-cache, OIDCCacheType redis), the module incorrectly performs argument interpolation before passing Redis requests to the hiredis library, which then performs interpolation again. This double interpolation leads to an uncontrolled format string bug that can be exploited to reliably cause denial of service by repeatedly crashing Apache worker processes.
Critical Impact
This vulnerability enables remote attackers to crash Apache workers without authentication, causing service disruption for web applications relying on mod_auth_openidc for OpenID Connect authentication.
Affected Products
- OpenIDC mod_auth_openidc (versions prior to 2.4.9)
- Apache HTTP Server (when used with vulnerable mod_auth_openidc)
- NetApp Cloud Backup
- Debian Linux 10.0
Discovery Timeline
- 2021-07-22 - Vulnerability discovered by @thomas-chauchefoin-sonarsource
- 2021-07-22 - CVE CVE-2021-32785 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-32785
Vulnerability Analysis
This vulnerability is classified as CWE-134 (Use of Externally-Controlled Format String). The root issue lies in the interaction between mod_auth_openidc and the hiredis Redis client library. When Redis caching is enabled without encryption, the module constructs Redis commands using format string operations before passing them to hiredis API functions. The hiredis library then performs its own format string processing on the same data, resulting in double interpolation.
An attacker who can influence cache keys or values—potentially through crafted authentication requests—can inject format string specifiers that survive the first interpolation and get processed during the second pass. While the security advisory indicates this does not appear to allow arbitrary code execution, it reliably triggers crashes in Apache worker processes. Repeated exploitation can effectively render the web application unavailable.
Root Cause
The vulnerability stems from improper handling of format string arguments in the Redis cache implementation. The module used direct string formatting when constructing Redis commands rather than utilizing the proper hiredis API (redisvCommand) that handles argument interpolation safely. This architectural oversight allowed user-controllable data to be interpreted as format string specifiers, leading to memory access violations and worker crashes.
Attack Vector
The attack is network-based and can be performed without authentication. An attacker sends specially crafted requests to a web application protected by mod_auth_openidc where:
- The server uses Redis for session caching (OIDCCacheType redis)
- Server-side session storage is enabled (OIDCSessionType server-cache)
- Cache encryption is disabled (OIDCCacheEncrypt off)
The attacker crafts input containing format string specifiers (such as %s, %n, %x) that get incorporated into cache key operations. When the malformed key is processed through the double-interpolation path, it causes memory corruption or invalid memory access, crashing the Apache worker.
+07/22/2021
+- use redisvCommand to avoid crash with crafted key when using Redis without encryption; thanks @thomas-chauchefoin-sonarsource
+
07/15/2021
- verify that "alg" is not none in logout_token explicitly
- make session not found on backchannel logout produce a log warning instead of error
Source: GitHub Commit Update
Detection Methods for CVE-2021-32785
Indicators of Compromise
- Repeated Apache worker crashes or restarts in a short time period
- Error log entries showing segmentation faults or memory access violations in mod_auth_openidc
- Unusual patterns in Redis cache keys containing format string specifiers (%s, %n, %x, etc.)
- Abnormal authentication request patterns with malformed parameters
Detection Strategies
- Monitor Apache error logs for segmentation faults or crash reports associated with mod_auth_openidc
- Implement log analysis rules to detect format string patterns in authentication-related request parameters
- Deploy intrusion detection signatures matching format string injection attempts in HTTP request headers and parameters
- Track Redis cache key anomalies through Redis monitoring tools
Monitoring Recommendations
- Enable verbose logging for mod_auth_openidc to capture detailed request information
- Configure process monitoring to alert on abnormal Apache worker restart rates
- Implement rate limiting on authentication endpoints to mitigate DoS impact
- Set up availability monitoring for applications using mod_auth_openidc
How to Mitigate CVE-2021-32785
Immediate Actions Required
- Upgrade mod_auth_openidc to version 2.4.9 or later immediately
- If immediate upgrade is not possible, enable cache encryption by setting OIDCCacheEncrypt on in the Apache configuration
- Review and audit current mod_auth_openidc configurations across all Apache servers
- Implement rate limiting on authentication endpoints as a defense-in-depth measure
Patch Information
The vulnerability was fixed in mod_auth_openidc version 2.4.9. The patch modifies the code to use the redisvCommand API from hiredis, which properly handles argument interpolation internally, eliminating the double-interpolation issue. Organizations should update to this version or later through their package manager or by building from the GitHub Release v2.4.9.
Additional security advisories have been published by downstream vendors:
- GitHub Security Advisory GHSA-55r8-6w97-xxr4
- Oracle Critical Patch Update April 2022
- NetApp Security Advisory ntap-20210902-0001
- Debian LTS Announcement
Workarounds
- Set OIDCCacheEncrypt on in your Apache configuration to enable cache encryption, which cryptographically hashes cache keys before use
- Consider switching to a different cache type (memcache or shm) if Redis encryption cannot be enabled
- Implement network-level protections to restrict access to the authentication endpoints
- Deploy a Web Application Firewall (WAF) with rules to filter format string patterns in request parameters
# Configuration example - Enable cache encryption as workaround
# Add to Apache configuration for mod_auth_openidc
# Enable cache encryption to mitigate the vulnerability
OIDCCacheEncrypt on
# Alternative: If using Redis, ensure this setting is enabled
# This cryptographically hashes keys before use
OIDCCacheType redis
OIDCSessionType server-cache
OIDCCacheEncrypt on
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
