Apache HTTP Server mod_ssl HTTP Desynchronization Attack via TLS Upgrade

A vulnerability exists in Apache HTTP Server in some mod_ssl configurations, allowing a man-in-the-middle attacker to hijack an HTTP session through a TLS upgrade. This issue affects versions of Apache HTTP Server through 2.4.63, but only in configurations that use 'SSLEngine optional' to enable TLS upgrades. The vulnerability takes advantage of the HTTP desynchronization caused by the TLS upgrade, allowing the attacker to intercept and manipulate the HTTP session.

Impact

Exploitation of this vulnerability allows for an HTTP session hijacking, where a man-in-the-middle attacker can intercept and potentially manipulate the session's data.

Reproduction

To reproduce this vulnerability, configure Apache HTTP Server with 'SSLEngine optional' to enable TLS upgrades. Then, establish an HTTP connection that can be intercepted by a man-in-the-middle attacker. When the TLS upgrade is initiated, the attacker can hijack the session by desynchronizing the HTTP response, taking advantage of the vulnerable mod_ssl configuration.

Remediation

Users are advised to upgrade to Apache HTTP Server version 2.4.64, which removes support for TLS upgrades and addresses this vulnerability.