CISA Adds Two Vulnerabilities to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities affecting Apache HTTP Server and SonicWall SMA100 appliances to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. These vulnerabilities pose significant risks to affected systems and require immediate remediation.

1. Apache HTTP Server Vulnerability (CVE-2024-38475)

Overview

• Description:
• This vulnerability exists in mod_rewrite within Apache HTTP Server 2.4.59 and earlier.
• It allows attackers to map URLs to file system locations that should not be accessible, leading to unauthorized file access.
• Classified under CWE-22 (Path Traversal).
• Severity:
• CVSS Score: 9.8 (Critical).
• Impact: Attackers can access restricted files, potentially leading to data exposure or remote code execution.
• Affected Versions:
• Apache HTTP Server 2.4.59 and earlier.

2. SonicWall SMA100 Appliances Vulnerability (CVE-2023-44221)

Overview

• Description:
• This vulnerability affects SonicWall SMA100 SSL-VPN management interface.
• It allows remote authenticated attackers with administrative privileges to inject arbitrary OS commands, leading to command execution as a ‘nobody’ user.
• Classified under CWE-78 (OS Command Injection).
• Severity:
• CVSS Score: 7.2 (High).
• Impact: Attackers can execute arbitrary commands, potentially compromising the device and enabling further attacks.
• Affected Versions:
• SMA 100 Series devices, including SMA 200, 210, 400, 410, 500v.
• Fixed in 10.2.1.10-62sv and higher versions.

3. Exploitation Details

Apache HTTP Server (CVE-2024-38475)

• Attackers exploit mod_rewrite to bypass access controls and retrieve restricted files.
• This can lead to data leaks or remote execution of malicious scripts.

SonicWall SMA100 (CVE-2023-44221)

• Exploitation involves injecting malicious OS commands via the SSL-VPN management interface.
• Attackers can modify system configurations, exfiltrate data, or establish persistent access.

4. Mitigation Strategies

A. Apply Security Updates

• Apache HTTP Server: Upgrade to Apache HTTP Server 2.4.60 or later.
• SonicWall SMA100: Ensure devices are updated to 10.2.1.10-62sv or higher.

B. Restrict Access

• Limit exposure of Apache mod_rewrite configurations to trusted users.
• Restrict access to SonicWall SSL-VPN management interfaces using firewall rules.

C. Monitor for Exploitation

• Deploy Intrusion Detection Systems (IDS) to flag suspicious activity.
• Audit logs for unauthorized file access or command injection attempts.

5. Compliance Requirements

Federal Agencies

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by May 17, 2025.

Conclusion

The addition of CVE-2024-38475 (Apache HTTP Server) and CVE-2023-44221 (SonicWall SMA100) to the KEV Catalog highlights the urgency of patching affected systems. Organizations must prioritize updates and implement security controls to mitigate risks.