CVE-2024-1019: 
NixOS vulnerability analysis and mitigation

ModSecurity / libModSecurity versions 3.0.0 to 3.0.11 is affected by a WAF bypass vulnerability (CVE-2024-1019) discovered in January 2024. The vulnerability allows attackers to bypass Web Application Firewall (WAF) rules by submitting specially crafted request URLs. The issue stems from ModSecurity v3's incorrect handling of URL decoding, where it decodes percent-encoded characters in URLs before separating the URL path from the query string component (OWASP Advisory).

The vulnerability occurs because ModSecurity v3 performs URL decoding before separating the URL path component from the query string component, creating an impedance mismatch with RFC-compliant back-end applications. This allows attackers to use percent-encoded question marks ("%3F") to manipulate how ModSecurity identifies the position of the query component, enabling them to hide attack payloads in the URL path and bypass WAF rules. The vulnerability has been assigned a CVSS 3.1 score of 8.6 (HIGH) with attack complexity: low, attack vector: network, and integrity impact: high (OWASP Advisory).

The vulnerability affects ModSecurity variables REQUEST_FILENAME and REQUEST_BASENAME, which are used for path inspection. Rules relying on these variables may be rendered ineffective against exploits. If a backend application uses path components as query parameters, it may be vulnerable to various attacks including SQL injection and Remote Command Execution (RCE), as the WAF protection is effectively bypassed (OWASP Advisory, SecurityOnline).

Users are strongly advised to upgrade to ModSecurity version 3.0.12, which fixes the vulnerability by modifying the request URI processing to separate URL components before performing URL decoding. For systems unable to upgrade immediately, a workaround exists using the REQUEST_URI_RAW variable, which remains unaffected by the URL decoding step. However, this workaround may be cumbersome and could generate false positives with existing rules (OWASP Advisory).

The vulnerability was initially discovered by the OWASP CRS team who reported it to Trustwave Spiderlabs in November 2023. After initial rejection and subsequent acknowledgment of the security impact, the fix was developed and the ModSecurity project was transferred from Trustwave to OWASP. The security community has shown significant interest in this vulnerability, leading to rapid patch adoption and distribution through various channels including Fedora's security updates (OWASP Advisory).