The Cybersecurity and Infrastructure Security Agency (CISA) recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding two vulnerabilities, CVE-2024-38475 and CVE-2023-44221, that are currently being actively exploited.
These vulnerabilities present substantial cybersecurity risks to organizations, particularly those in the federal sector. Both vulnerabilities have been linked to high-profile products, Apache HTTP Server and SonicWall SMA100, which are widely used in various industries.
CVE-2024-38475: Apache HTTP Server Improper Escaping of Output
One of the newly added vulnerabilities, CVE-2024-38475, affects Apache HTTP Server versions up to 2.4.59. Discovered by security researcher Orange Tsai from DEVCORE, this vulnerability arises due to improper escaping of output in the mod_rewrite module. The flaw allows attackers to manipulate URLs, mapping them to unintended filesystem paths that are typically inaccessible via normal web requests. This could lead to unauthorized code execution or the disclosure of sensitive source code.
This issue specifically affects server contexts where substitutions in mod_rewrite, using backreferences or variables in the first segment of the substitution, can be exploited. As a result, attackers can craft malicious URLs that trick the server into executing arbitrary commands or revealing internal files. Apache has recommended the use of a rewrite flag, “UnsafePrefixStat,” for users who need to maintain compatibility with broken RewriteRules, provided they ensure the substitution is properly constrained.
The vulnerability is classified under CWE-116 (Improper Encoding or Escaping of Output) and affects Apache HTTP Server versions 2.4.0 through 2.4.59. Users are advised to upgrade to the latest patch to mitigate the risks associated with this vulnerability.
CVE-2023-44221: SonicWall SMA100 OS Command Injection
The second vulnerability added to the catalog, CVE-2023-44221, impacts SonicWall’s SMA100 series SSL-VPN appliances. This vulnerability stems from an issue in the SSL-VPN management interface, where improper neutralization of special elements can lead to OS command injection. Attackers with administrative privileges can exploit this flaw to inject arbitrary commands, potentially leading to the execution of malicious commands on the underlying operating system.
This vulnerability has been assigned a CVSS v3 score of 7.2, indicating a high level of severity. It primarily affects SonicWall SMA 200, 210, 400, 410, and 500v models running versions 10.2.1.9-57sv or earlier. SonicWall has released patches to address this issue, urging users to upgrade to version 10.2.1.10-62sv or higher.
CVE-2023-44221 is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), making it an important vector for remote attackers to compromise systems. SonicWall has also acknowledged that the vulnerability is being actively exploited in the wild, further heightening its potential threat to affected organizations.
Conclusion
CISA plays a pivotal role in identifying and cataloging vulnerabilities to protect federal and private sector systems from active exploitation, as evidenced by its addition of CVE-2024-38475 and CVE-2023-44221 to the Known Exploited Vulnerabilities Catalog. Organizations are urged to take immediate action, such as applying patches for affected Apache HTTP Server versions and upgrading SonicWall SMA100 devices to secure firmware versions, to mitigate these threats.
