A critical vulnerability in Apache Traffic Server (ATS) allows attackers to exploit the server’s handling of chunked messages to execute HTTP request smuggling attacks. Identified as CVE-2024-53868, this flaw can result in serious security threats, including firewall bypass, cache poisoning and session hijacking. The vulnerability affects ATS versions 9.0.0 to 9.2.9 and 10.0.0 to 10.0.4. Patches have been released in versions 9.2.10 and 10.0.5. Users should upgrade to these versions to ensure better security.

‍

Technical Description

‍

Apache Traffic Server (ATS) is a widely adopted, high-performance HTTP proxy server known for its scalability. However, a newly discovered security vulnerability—CVE-2024-53868—poses a serious risk, enabling potential HTTP request smuggling attacks. The issue stems from how ATS processes chunked HTTP messages, allowing attackers to manipulate request handling and potentially bypass security mechanisms for malicious purposes.

‍

What is HTTP request smuggling?

HTTP request smuggling is a web application attack for manipulating with the way a web site processes sequences of HTTP requests that are received from one or more users. By exploiting vulnerabilities in the server’s parsing of these requests, attackers can trick the server into processing them incorrectly, leading to various security issues such as bypassing security controls, gaining unauthorized access to sensitive data, or compromising other users’ interactions with the application.

Request smuggling is primarily associated with HTTP/1 requests. However, websites that support HTTP/2 may be vulnerable, depending on their back-end architecture.

‍

Apache Traffic Server Vulnerability:

The vulnerability CVE-2024-53868  arises from improper handling of HTTP chunked transfer encoding in Apache Traffic Server—a method used to send data in segmented chunks. When faced with malformed chunked messages, ATS does not adequately validate the message structure, leading to a security gap exploitable by attackers.

The flaw specifically relates to how ATS processes malformed chunked message bodies. It incorrectly accepts and forwards requests that include invalid formatting elements, such as carriage returns within chunk-extension whitespace, where only spaces and tabs are allowed.

Exploiting this flaw allows an attacker to “smuggle” malicious HTTP requests within legitimate ones, causing the server to process them incorrectly. This is especially concerning, as it enables attackers to manipulate the server’s handling of HTTP traffic, potentially leading to a range of security breaches.

Request smuggling is a serious web vulnerability with potentially wide-reaching impacts. When successfully exploited, it allows attackers to manipulate server behavior in various harmful ways. This can include bypassing security mechanisms like web application firewalls and access control lists, granting unauthorized access to protected resources. The attack may also lead to cache poisoning, where malicious content is stored and later served to unsuspecting users, disrupting normal operations. Additionally, there is a risk of session hijacking, enabling attackers to take over user sessions and compromise sensitive data.

The vulnerable versions of Apache Traffic Server include ATS 9.0.0 to 9.2.9 and ATS 10.0.0 to 10.0.4. Organizations using these versions must upgrade to patched releases to address the security issue. Users on the 9.x branch should update to version 9.2.10 or later, while those on the 10.x branch should upgrade to version 10.0.5 or later.

This vulnerability underscores the critical need for keeping software up to date, particularly for widely used tools like Apache Traffic Server. As web security faces heightened scrutiny, proactively addressing potential vulnerabilities is essential to protecting infrastructure and preserving trust in web services.

‍

‍

Impact

The request smuggling vulnerability in Apache Traffic Server poses serious risks to organizations, including unauthorized access to sensitive data by circumventing security controls, manipulation of cached content that can disrupt services, and the potential hijacking of user sessions. These threats could undermine the integrity of web applications, harm reputation, and result in financial losses due to security breaches and downtime.

‍

IOC and Context Details

Recommended Actions

Organizations using Apache Traffic Server should take the following mitigation steps immediately:

1. Upgrade to patched versions:

• For 9.x branch users: Upgrade to version 9.2.10 or later.
• For 10.x branch users: Upgrade to version 10.0.5 or later.

2. Review and restrict network access to Apache Traffic Server instances.
3. Monitor traffic for any unusual HTTP request patterns.
4. Implement additional network-level security controls.
5. Conduct thorough security assessments of current deployments.

‍

To prevent HTTP request smuggling vulnerabilities:

• Configure front-end servers to communicate with back-end servers over HTTP/2
• Disable HTTP persistent connection on back-end systems unless required
• Never assume that requests won’t have a body. This is the fundamental cause of both CL.0 and client-side desync vulnerabilities.
• Default to discarding the connection if server-level exceptions are triggered when handling requests.
• Employ a WEB application firewall
• If you route traffic through a forward proxy, ensure that upstream HTTP/2 is enabled if possible.

‍

References

https://lists.apache.org/thread/rwyx91rsrnmpjbm04footfjjf6m9d1c9