CVE-2023-28625 Overview
CVE-2023-28625 is a Null Pointer Dereference vulnerability affecting mod_auth_openidc, an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when the OIDCStripCookies directive is set and a specially crafted cookie is supplied, a NULL pointer dereference occurs, resulting in a segmentation fault. This vulnerability can be exploited to cause a Denial-of-Service (DoS) condition, presenting a significant availability risk to affected web servers.
Critical Impact
Remote attackers can crash Apache web servers running vulnerable versions of mod_auth_openidc by sending malicious cookie headers, causing service disruption without requiring authentication.
Affected Products
- mod_auth_openidc versions 2.0.0 through 2.4.13.1
- Apache 2.x HTTP servers with mod_auth_openidc configured with OIDCStripCookies
- Debian, Fedora, and other Linux distributions packaging vulnerable versions
Discovery Timeline
- 2023-04-03 - CVE-2023-28625 published to NVD
- 2025-04-10 - Last updated in NVD database
Technical Details for CVE-2023-28625
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference). The flaw exists in the cookie processing logic of mod_auth_openidc when the OIDCStripCookies configuration directive is enabled. When the module processes incoming HTTP requests, it parses cookie headers to strip specified cookies. However, the parsing logic fails to properly validate cookie data before dereferencing pointers, leading to a NULL pointer dereference when a malformed cookie is encountered.
The vulnerability is network-exploitable and requires no authentication or user interaction, making it particularly dangerous for internet-facing Apache servers using OpenID Connect authentication. An attacker can trigger the vulnerability by sending a single HTTP request with a crafted Cookie header, causing the Apache child process to crash with a segmentation fault.
Root Cause
The root cause lies in insufficient input validation in the cookie stripping functionality within src/mod_auth_openidc.c. When processing cookies marked for removal via the OIDCStripCookies directive, the code does not adequately check for NULL values that may result from parsing malformed cookie data. This oversight allows an attacker to construct a cookie header that, when parsed, produces a NULL pointer that is subsequently dereferenced.
Attack Vector
The attack vector is network-based and requires minimal complexity. An unauthenticated remote attacker can exploit this vulnerability by:
- Identifying an Apache server running a vulnerable version of mod_auth_openidc
- Confirming that OIDCStripCookies is configured (often used to remove sensitive cookies before proxying requests)
- Sending an HTTP request with a specially crafted Cookie header designed to trigger the NULL pointer dereference
- Causing the Apache child process to crash, resulting in service degradation
The patch released in version 2.4.13.2 addresses this issue by adding proper NULL pointer checks before dereferencing:
+03/28/2023
+- CVE-2023-28625: prevent core dump when OIDCStripCookies is set and a crafted Cookie header is supplied
+ https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr
+- release 2.4.13.2
+
03/27/2023
-- fix code scanning alerts:
+- fix code scanning alerts
- bump to 2.4.13.2rc2
03/24/2023
Source: GitHub Commit Details
Detection Methods for CVE-2023-28625
Indicators of Compromise
- Apache child process crashes or segmentation faults in system logs
- Presence of unusual or malformed Cookie headers in HTTP access logs
- Increased Apache worker restarts or error rates
- Core dump files related to mod_auth_openidc.so
Detection Strategies
- Monitor Apache error logs for segmentation fault messages mentioning mod_auth_openidc
- Implement Web Application Firewall (WAF) rules to detect abnormally large or malformed Cookie headers
- Use log analysis tools to identify patterns of requests with suspicious cookie values targeting OpenID Connect endpoints
- Deploy SentinelOne Singularity to detect and alert on process crashes indicative of exploitation attempts
Monitoring Recommendations
- Enable detailed Apache logging for modules and correlate with system-level crash events
- Set up alerting for Apache service restarts or worker process failures exceeding baseline thresholds
- Monitor network traffic for repeated requests to authentication endpoints with unusual cookie patterns
- Implement application performance monitoring to detect sudden availability degradation
How to Mitigate CVE-2023-28625
Immediate Actions Required
- Upgrade mod_auth_openidc to version 2.4.13.2 or later immediately
- If immediate patching is not possible, disable the OIDCStripCookies directive as a temporary workaround
- Review Apache configurations to identify all servers using mod_auth_openidc with the vulnerable setting
- Apply security updates from distribution packages (Debian DSA-5405, Fedora updates)
Patch Information
The vulnerability has been addressed in mod_auth_openidc version 2.4.13.2, released on March 28, 2023. The fix adds proper NULL pointer validation before dereferencing cookie data in the OIDCStripCookies processing logic.
Patch resources:
- GitHub Security Advisory
- Official Release v2.4.13.2
- Security Patch Commit
- Debian Security Advisory DSA-5405
- Debian LTS Announcement
Workarounds
- Remove or comment out the OIDCStripCookies directive from Apache configuration files until patching is complete
- Implement rate limiting on authentication endpoints to reduce the impact of potential DoS attacks
- Deploy a reverse proxy or WAF in front of Apache to filter malicious cookie headers
- Consider temporarily disabling mod_auth_openidc if the service can function without OpenID Connect authentication
# Configuration example - Disable OIDCStripCookies as a workaround
# In your Apache configuration file (e.g., /etc/apache2/sites-available/your-site.conf)
# Comment out or remove OIDCStripCookies directive
# OIDCStripCookies mod_auth_openidc_session
# Alternatively, verify mod_auth_openidc version and upgrade
apachectl -M | grep openidc
apt-get update && apt-get install --only-upgrade libapache2-mod-auth-openidc
# Or for source installations:
# Download and install v2.4.13.2 from https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.13.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
