Apache HTTP Server mod_ssl Access Control Bypass Vulnerability via TLS 1.3 Session Resumption

A vulnerability allowing access control bypass by trusted clients has been identified in Apache HTTP Server mod_ssl configurations. This issue affects versions 2.4.35 through 2.4.63. The vulnerability arises when mod_ssl is set up for multiple virtual hosts, each requiring different trusted client certificates. In such scenarios, a client authorized for one virtual host could potentially access another, unless SSLStrictSNIVHostCheck is enabled in both virtual hosts.

Impact

Exploitation of this vulnerability could lead to unauthorized access to resources on a different virtual host, bypassing access control measures.

Reproduction

To reproduce this vulnerability, configure two virtual hosts on the same Apache server, each with a different set of trusted client certificates. Ensure that SSLStrictSNIVHostCheck is not enabled on either virtual host. A client trusted by one virtual host can then access resources on the other virtual host, bypassing access controls.

Remediation

Users are advised to upgrade to Apache HTTP Server version 2.4.64 or later, where this vulnerability has been fixed.