insomnisec/Detections-CVE-2026-23918

# CVE-2026-23918 "Apache HTTP/2 Double-Free" — 检测与响应包 **发布日期：** 2026-05-04 **CVSSv3：** 8.8 (高危) **类型：** 远程代码执行 / 拒绝服务 (Double-Free 内存破坏) **组件：** Apache HTTP Server `mod_http2` (`h2_mplx.c` 流清理路径) **受影响版本：** 启用了 HTTP/2 和多线程 MPM 的 Apache HTTP Server 2.4.66 **参考链接：** - [Apache HTTP Server 安全公告](https://httpd.apache.org/security/vulnerabilities_24.html) - [oss-security 披露](https://seclists.org/oss-sec/2026/q2/387) - [Hadrian 技术分析](https://hadrian.io/blog/cve-2026-23918-apache-http-server-double-free-rce-in-http-2-implementation) - [insomnisec 报道](https://insomnisec.com/posts/2026-05-05-cve-2026-23918-apache-http2-rce_v2/) ## 目录 1. [漏洞概述](#vulnerability-summary) 2. [漏洞利用原理](#how-the-exploit-works) 3. [检测架构 — 为什么此包与 LPE 包不同](#detection-architecture) 4. [检测局限性](#detection-limitations) 5. [紧急缓解措施](#immediate-mitigation) 6. [Suricata 规则](#suricata-rules) 7. [ModSecurity / Coraza 配置](#modsecurity--coraza-configuration) 8. [Auditd 规则](#auditd-rules) 9. [Wazuh 规则](#wazuh-rules) 10. [YARA 规则](#yara-rules) 11. [MISP 事件模板](#misp-event-template) 12. [补丁与修复](#patching--remediation) 13. [关键 IoCs 参考](#key-iocs-reference) ## 漏洞概述 CVE-2026-23918 是 Apache HTTP Server 2.4.66 的 HTTP/2 协议实现中的一个 double-free 内存破坏漏洞，仅影响 `mod_http2` 模块在 `h2_mplx.c` 中的流清理路径。它允许未经身份验证的远程攻击者通过单个 TCP 连接和两个 HTTP/2 帧使 Apache 工作进程崩溃 (拒绝服务)。在 Debian 系列系统和官方 Apache Docker 镜像中存在的特定条件下，该 double-free 可被塑造为完全的远程代码执行 (RCE)。 目前已确认 DoS 攻击在野外被利用。我们观察到针对 HTTP/2 端点的大规模互联网扫描。RCE 攻击已在受控环境中被证明可行，但目前还没有证据表明 RCE 遭到了广泛的公开利用。 MPM prefork 不受影响 —— 该漏洞需要多线程 MPM 配置（worker、event 或类似配置）。CVE-2026-23918 仅影响 Apache HTTP Server 2.4.66 版本。 ## 漏洞利用原理 ``` Attacker opens HTTP/2 connection to Apache 2.4.66 (mod_http2 loaded, multi-threaded MPM) └─ Sends HTTP/2 HEADERS frame on stream N (opens the stream) └─ Immediately sends RST_STREAM on stream N (non-zero error code) └─ Sent BEFORE the multiplexer has registered the stream Two nghttp2 callbacks fire in sequence: ├─ on_frame_recv_cb (RST received) → calls h2_mplx_c1_client_rst → m_stream_cleanup └─ on_stream_close_cb (stream closed) → calls h2_mplx_c1_client_rst → m_stream_cleanup Result: same h2_stream pointer pushed onto spurge[] cleanup array TWICE c1_purge_streams() iterates spurge[] and calls h2_stream_destroy() on each entry: ├─ First call: valid — frees the stream └─ Second call: DOUBLE-FREE — operates on already-freed memory → heap corruption DoS path (trivial, in the wild): └─ Heap corruption → SIGABRT in worker process → worker dies → service disruption RCE path (requires mmap allocator — default on Debian/Ubuntu and official Docker): └─ Attacker places fake h2_stream struct at freed virtual address via mmap reuse └─ Points pool cleanup function pointer to system() └─ Uses Apache scoreboard shared memory (fixed address, ASLR-resistant) as payload container └─ c1_purge_streams() executes system() with attacker-controlled argument → RCE ``` ## 检测架构 Copy Fail (CVE-2026-31431) 是一个**主机端、访问后**漏洞。攻击者需要已经存在于系统中。检测主要位于 syscall 层（auditd、Wazuh），并使用 YARA 扫描磁盘上的 PoC 脚本。 CVE-2026-23918 是一个**网络端、访问前**漏洞。漏洞利用以 HTTP/2 协议帧的形式通过网络到达，在任何应用程序代码运行之前。这极大地改变了检测栈： | 层级 | Copy Fail (LPE) | CVE-2026-23918 (RCE) | |---|---|---| | **主要检测** | Auditd syscall 规则 | Suricata 网络规则 | | **WAF (ModSecurity)** | 有限 — 无法看到漏洞利用 | 相关 — 异常 + 攻击后阶段 | | **Auditd** | 核心检测 | 结果检测（崩溃，攻击后阶段） | | **YARA** | 扫描 PoC 脚本 | 扫描 web shell（攻击后产物） | | **网络 IDS** | 不适用 | 一等检测层 | | **TLS 检测** | 不适用 | 完整 Suricata 覆盖所需 | 经验法则：对于网络级 RCE，由外而内进行检测（网络 → WAF → 主机）。对于本地提权，从主机由内而外进行检测。 ## 检测局限性 **1. TLS 终止了 HTTP/2 的可见性。** 大多数生产环境的 Apache 部署提供 HTTPS 服务。如果没有配置 TLS 解密，Suricata 无法检查加密的 HTTP/2 帧的内容。如果您的 Suricata 部署无法访问 TLS 会话密钥或解密镜像，则以下网络级规则只能捕获到： - 明文 HTTP/2 (h2c) —— 在生产环境中不常见，但存在于内部环境中 - TCP 连接行为的网络特征（连接数、TCP 层的 RST 模式） 对于 HTTPS 部署，请通过 `tls-decrypt` 设置和会话密钥日志记录启用 Suricata 的 TLS 解密功能，或者转而依赖 WAF (ModSecurity/Coraza) 和基于主机（auditd/Wazuh）的检测层。 **2. ModSecurity 无法阻止漏洞利用触发。** double-free 发生在 HTTP/2 帧解析器内部，在一个完整的 HTTP 请求被组装并传递给 ModSecurity 之前。WAF 仅在帧解析完成之后才能看到该请求 —— 此时破坏可能已经造成。本包中的 ModSecurity 用于异常检测、速率限制和攻击后检测，而不是作为触发的拦截器。 **3. MPM prefork 不受影响。** 如果您的 Apache 部署使用 `mpm_prefork_module` (单线程)，则此漏洞不适用。该 Bug 仅在多线程 MPM（`mpm_event_module` 或 `mpm_worker_module`）中表现。在部署可能在 prefork 服务器上产生误报的规则之前，请使用 `apachectl -V | grep MPM` 进行检查。 **4. RCE 需要 mmap 分配器。** RCE 路径（而非 DoS 路径）需要 APR 的 mmap 分配器，这是 Debian 系列发行版和官方 Apache Docker 镜像上的默认配置。使用 jemalloc 或系统 malloc 的基于 RHEL/CentOS 的部署虽然降低了 RCE 风险，但仍然完全容易受到 DoS 攻击。 **5. 尚无稳定的攻击后 IoCs。** 截至撰稿时，尚无供应商发布的关于攻击后活动的 IoCs。针对攻击后行为的 YARA 规则和 auditd 规则是基于通用的 web shell 和提权模式 —— 它们将捕获常见的攻击结果，但无法应对复杂且定制的 payload。 ## 紧急缓解措施 按优先顺序应用。后者比前者更具破坏性，但也更彻底。 ``` # Option 1 (Preferred): Upgrade to 2.4.67 # See Patching & Remediation section below # Option 2: Disable HTTP/2 in Apache config (no reboot required, restart required) # In httpd.conf or relevant VirtualHost / site config: # Remove or comment out: Protocols h2 h2c http/1.1 # Replace with: Protocols http/1.1 # Then: apachectl configtest && sudo systemctl restart apache2 # Option 3: Switch to MPM prefork (eliminates vulnerability entirely — more disruptive) sudo a2dismod mpm_event mpm_worker sudo a2enmod mpm_prefork apachectl configtest && sudo systemctl restart apache2 # Option 4: Reverse proxy HTTP/2 termination # If nginx, HAProxy, or a CDN is in front of Apache and terminates HTTP/2, # Apache only receives HTTP/1.1 — confirm your proxy config explicitly: # nginx: proxy_http_version 1.1; (already the default for upstream connections) # HAProxy: use-server-close + http/1.1 on backend bind # Verify with: curl -v --http2 https://your-origin-directly ``` ## Suricata 规则 保存为 `cve-2026-23918.rules` 并在 `suricata.yaml` 中引用。 ``` # ============================================================= # CVE-2026-23918 Apache HTTP/2 Double-Free — Suricata Rules # ============================================================= # Rule overview: # 9926231801 — HTTP/2 RST_STREAM with non-zero error code (app layer, high fidelity) # 9926231802 — RST_STREAM flood threshold (DoS scanning pattern) # 9926231803 — Raw HTTP/2 RST_STREAM frame detection (h2c / non-TLS fallback) # 9926231804 — HEADERS+RST rapid sequence targeting HTTP/2 port (behavioral) # 9926231805 — Apache worker crash signal (host-network correlation) # 9926231806 — Outbound connection from Apache user post-RCE (lateral movement) # ============================================================= # --- Rule 1: HTTP/2 RST_STREAM with non-zero error code (app layer) --- # Requires: Suricata HTTP/2 app layer parsing, TLS decryption for HTTPS # This is the highest-fidelity rule — targets the exact protocol condition that # triggers the double-free. RST_STREAM with error code 0 (NO_ERROR) is normal # and common; any non-zero error code in the early-reset context is suspicious. # Expected false positives: legitimate HTTP/2 connection errors (network issues, # client bugs). Tune threshold if noisy in your environment. alert http2 $EXTERNAL_NET any -> $HTTP_SERVERS any \ (msg:"CVE-2026-23918 Apache mod_http2 Double-Free - RST_STREAM with non-zero error code"; \ flow:established,to_server; \ http2.frametype:3; \ http2.errorcode:!0; \ classtype:web-application-attack; \ reference:cve,2026-23918; \ sid:9926231801; rev:1;) # --- Rule 2: RST_STREAM flood threshold (active DoS/scan pattern) --- # Triggers after 10 RST_STREAM frames with non-zero error code from one source # within 30 seconds. This matches the confirmed in-the-wild DoS scanning behavior. # Lower threshold (e.g., count 5) for higher sensitivity in low-traffic environments. alert http2 $EXTERNAL_NET any -> $HTTP_SERVERS any \ (msg:"CVE-2026-23918 Apache mod_http2 Double-Free - RST_STREAM flood (active DoS/exploit scan)"; \ flow:established,to_server; \ http2.frametype:3; \ http2.errorcode:!0; \ threshold: type both, track by_src, count 10, seconds 30; \ classtype:denial-of-service; \ reference:cve,2026-23918; \ sid:9926231802; rev:1;) # --- Rule 3: Raw RST_STREAM frame detection (h2c cleartext / TLS fallback) --- # Matches the raw HTTP/2 RST_STREAM frame header bytes in cleartext traffic. # HTTP/2 RST_STREAM frame: 3-byte length (0x000004) | type (0x03) | flags (0x00) # This does NOT require app-layer HTTP/2 parsing and catches h2c (non-TLS) traffic. # Higher false positive rate than Rule 1 — use threshold in production. # For h2c on non-standard ports, adjust destination ports accordingly. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [80,8080,8000,8443] \ (msg:"CVE-2026-23918 Apache mod_http2 - HTTP/2 RST_STREAM frame detected (cleartext)"; \ flow:established,to_server; \ content:"|00 00 04 03 00|"; depth:5; offset:0; \ threshold: type both, track by_src, count 5, seconds 30; \ classtype:web-application-attack; \ reference:cve,2026-23918; \ sid:9926231803; rev:1;) # --- Rule 4: HTTP/2 connection preface followed by rapid RST (behavioral) --- # HTTP/2 client preface begins with "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n". # Matching this followed by a rapid close is consistent with DoS scanning tooling # that establishes a connection, sends the trigger, and moves to the next target. # Most useful on cleartext h2c; for HTTPS this requires TLS decryption. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [80,8080,8000] \ (msg:"CVE-2026-23918 Apache mod_http2 - HTTP/2 client preface with rapid RST_STREAM (exploit pattern)"; \ flow:established,to_server; \ content:"PRI * HTTP/2.0|0d 0a 0d 0a|SM|0d 0a 0d 0a|"; depth:24; offset:0; \ content:"|00 00 04 03|"; distance:0; within:512; \ classtype:web-application-attack; \ reference:cve,2026-23918; \ sid:9926231804; rev:1;) # --- Rule 5: Apache version string exposure (scanner pre-targeting) --- # Attackers actively scanning for vulnerable Apache 2.4.66 servers will often # trigger a version-identifying response. Alert on Apache/2.4.66 in server headers. # Useful for identifying which of your servers are exposed AND being actively scanned. # Note: ServerTokens Prod in Apache config suppresses the version string (recommended). alert http $HTTP_SERVERS any -> $EXTERNAL_NET any \ (msg:"CVE-2026-23918 Apache 2.4.66 version string in response - vulnerable version exposed"; \ flow:established,to_client; \ http.header; content:"Apache/2.4.66"; \ classtype:policy-violation; \ reference:cve,2026-23918; \ sid:9926231805; rev:1;) # --- Rule 6: Suspicious outbound connection from web server process port --- # Post-RCE, an attacker will likely establish a reverse shell or exfiltrate data. # This rule detects NEW outbound TCP connections originating FROM HTTP server ports # to external destinations, which is anomalous for legitimate Apache behavior. # Tune $HOME_NET and $HTTP_SERVERS to avoid false positives on proxy configurations. # This rule pairs with the auditd rule monitoring www-data/apache outbound connects. alert tcp $HTTP_SERVERS [80,443,8080,8443] -> $EXTERNAL_NET ![$HTTP_PORTS,443,80] \ (msg:"CVE-2026-23918 Apache possible post-RCE reverse shell - outbound from web server port"; \ flow:established,to_server; \ classtype:trojan-activity; \ reference:cve,2026-23918; \ sid:9926231806; rev:1;) ``` ### 调优说明 在 `alert` 模式下部署 24-48 小时后，请检查规则 3 和 4 的触发情况 —— 合法的 HTTP/2 客户端可能会在高流量环境中触发这些规则。如果规则 1（应用层）能够捕获到足够的信号，则可以将规则 3 和 4 移至较低严重级别或将其丢弃。 对于具有 `stream-depth` 限制的 Suricata 部署，请确保规则 4 中的 HTTP/2 前缀模式落在检测窗口内。 ## ModSecurity / Coraza 配置 ### 为什么 ModSecurity 在这里具有相关性（但还不够） 如“检测局限性”部分所述，ModSecurity 无法拦截 double-free 触发器，因为该漏洞利用运行在 HTTP/2 帧层。但是，ModSecurity 为此 CVE 提供了三个有价值的层级： 1. **速率限制** —— 减缓自动化的 DoS 扫描，并增加暴力破解 RCE 堆喷射的成本 2. **攻击后检测** —— 如果实现了 RCE，攻击者将尝试部署 web shell 或执行命令；ModSecurity 可以捕获这两者 3. **OWASP CRS 异常评分** —— 与漏洞利用相关的格式错误的请求头和连接模式可能会在 CRS Paranoia Level 2+ 下产生异常评分 ### Apache 配置加固（与 ModSecurity 一起应用） 添加到 `httpd.conf` 或包含文件中。这些是 Apache 指令，而不是 ModSecurity 规则，但它们减少了 HTTP/2 的攻击面： ``` # ============================================================ # CVE-2026-23918 Apache HTTP/2 Hardening Directives # ============================================================ # Limit concurrent streams per HTTP/2 session. # The exploit typically uses 1 stream, but limiting sessions # reduces the rate at which a single client can attempt the trigger. H2MaxSessionRequests 100 # Restrict H2 stream push (unused surface, reduce complexity) H2Push Off # Suppress version information in Server headers. # Prevents trivial identification of vulnerable 2.4.66 instances. ServerTokens Prod ServerSignature Off # Constrain HTTP/2 window size — reduces memory available for heap spray H2WindowSize 65535 # If HTTP/2 is not required at all: # Protocols http/1.1 ``` ### ModSecurity 规则 将它们保存在您的 ModSecurity 自定义规则文件中（例如，`/etc/modsecurity/cve-2026-23918.conf`）： ``` # ============================================================ # CVE-2026-23918 ModSecurity Detection Rules # ============================================================ # Rule IDs 9923918xx — adjust range to fit your local policy. # ============================================================ # Initialize per-IP request counter in the IP collection SecAction \ "id:9923918001,\ phase:1,\ nolog,\ pass,\ initcol:ip=%{REMOTE_ADDR},\ setvar:ip.http2_requests=+1,\ expirevar:ip.http2_requests=60" # Rule 01: Rate limit — block IPs sending more than 30 requests per minute # Tune the threshold to match your expected legitimate traffic volume. # This catches automated DoS scanning tools that rapidly recycle connections. SecRule ip:http2_requests "@gt 30" \ "id:9923918002,\ phase:1,\ deny,\ status:429,\ log,\ msg:'CVE-2026-23918: Rate limit exceeded - possible DoS/exploit scan',\ tag:'CVE-2026-23918',\ tag:'OWASP_CRS/DoS',\ severity:'CRITICAL'" # Rule 02: Detect abnormal connection error rates from same IP # Legitimate clients rarely produce rapid sequences of HTTP errors. # Repeated 400-level errors suggest exploit scanning or fuzzing. SecAction \ "id:9923918003,\ phase:1,\ nolog,\ pass,\ initcol:ip=%{REMOTE_ADDR}" SecRule RESPONSE_STATUS "@rx ^(4|5)[0-9]{2}" \ "id:9923918004,\ phase:5,\ nolog,\ pass,\ setvar:ip.error_count=+1,\ expirevar:ip.error_count=120" SecRule ip:error_count "@gt 20" \ "id:9923918005,\ phase:1,\ log,\ pass,\ msg:'CVE-2026-23918: Elevated error rate from source IP - possible exploit scanning',\ tag:'CVE-2026-23918',\ severity:'WARNING'" # ============================================================ # POST-EXPLOITATION DETECTION # The following rules detect outcomes of successful RCE: # web shell deployment and in-request command execution. # These are NOT specific to CVE-2026-23918 but are the most # likely post-exploitation patterns given the Apache context. # ============================================================ # Rule 03: Web shell detection in POST body — command execution patterns # Catches PHP web shells that use $_GET/$_POST to pass OS commands. # Note: if you use legitimate PHP applications, tune false positives carefully. SecRule REQUEST_BODY \ "@rx (?:system|exec|passthru|shell_exec|popen|proc_open)\s*\(\s*(?:\$_(?:GET|POST|REQUEST|COOKIE)|base64_decode)" \ "id:9923918010,\ phase:2,\ deny,\ status:403,\ log,\ msg:'CVE-2026-23918: Possible web shell command execution in POST body',\ tag:'CVE-2026-23918',\ tag:'WEBSHELL',\ severity:'CRITICAL'" # Rule 04: Web shell access pattern — direct GET parameter command execution # Catches requests like: GET /shell.php?cmd=id # These are the most common web shell interaction patterns. SecRule ARGS \ "@rx (?:(?:^|[;&|`])\s*(?:id|whoami|uname|cat\s+/etc|ls\s+/|pwd|wget\s+http|curl\s+http|bash\s+-[ci]|nc\s+-[el]|python[23]?\s+-c|perl\s+-e|ruby\s+-e))" \ "id:9923918011,\ phase:2,\ deny,\ status:403,\ log,\ msg:'CVE-2026-23918: OS command injection pattern in request arguments - possible post-exploit web shell',\ tag:'CVE-2026-23918',\ tag:'WEBSHELL',\ severity:'CRITICAL'" # Rule 05: PHP web shell upload detection # Catches multipart file uploads containing PHP code. # If your application accepts PHP file uploads legitimately, tune carefully. SecRule FILES_TMPNAMES "@inspectFile /etc/modsecurity/util/php-filter.pm" \ "id:9923918012,\ phase:2,\ log,\ deny,\ status:403,\ msg:'CVE-2026-23918: PHP code detected in file upload - possible web shell deployment',\ tag:'CVE-2026-23918',\ tag:'WEBSHELL',\ severity:'CRITICAL'" # Rule 06: Reverse shell patterns in request data # Catches common reverse shell one-liners often placed in web shells. SecRule REQUEST_BODY|ARGS \ "@rx (?:bash\s+-i\s+>&?\s*/dev/tcp|/dev/tcp/[0-9]{1,3}\.[0-9]{1,3}|nc\s+(?:-e|-c)\s+/bin/(?:bash|sh)|python[23]?\s+-c\s+['\"]import\s+socket)" \ "id:9923918013,\ phase:2,\ deny,\ status:403,\ log,\ msg:'CVE-2026-23918: Reverse shell pattern in request - possible post-exploit activity',\ tag:'CVE-2026-23918',\ tag:'REVERSE_SHELL',\ severity:'CRITICAL'" ``` ### OWASP CRS 调优建议 为了在不产生过多误报的情况下获得最高的异常信号，请在启用异常评分的情况下部署 Paranoia Level 2 级别的 CRS。触发连接行为（格式错误的 HTTP/2 导致 HTTP/1.x 回退错误，重复的重置）将在 CRS 规则 920xxx 和 921xxx 下累积异常分数，并可能突破默认为 5 的 `inbound_anomaly_score_threshold`，从而在没有自定义规则的情况下生成警报。 ## Auditd 规则 保存为 `/etc/audit/rules.d/cve-2026-23918.rules` 重新加载命令：`sudo augenrules --load` ``` ## ============================================================ ## CVE-2026-23918 Apache HTTP/2 Double-Free — Auditd Rules ## ============================================================ ## These rules detect the CONSEQUENCES of exploitation, not the ## trigger. The trigger is a network protocol event and is ## detected by Suricata. These rules catch: ## 1. Apache worker process crashes (DoS outcome) ## 2. Shell execution by the web server user (RCE outcome) ## 3. Web root file creation (web shell deployment) ## 4. Outbound network connections by web server process (reverse shell) ## ## Distribution notes for UID values: ## - Debian/Ubuntu: www-data = uid 33 ## - RHEL/Rocky/CentOS: apache = uid 48 ## Adjust -F uid= values for your distribution. Use `id www-data` ## or `id apache` to confirm the UID on your systems. ## ============================================================ ## --- Apache worker SIGABRT detection (DoS exploitation outcome) --- ## A double-free that reaches the crash path generates SIGABRT (signal 6). ## Monitoring kill() syscalls with a1=6 (SIGABRT) targets abnormal process ## termination, which Apache itself triggers on double-free detection. ## Correlate with Apache error log entries (child exited with signal 6). -a always,exit -F arch=b64 -S kill -F a1=6 -k cve_2026_23918_sigabrt -a always,exit -F arch=b32 -S kill -F a1=6 -k cve_2026_23918_sigabrt ## --- SIGSEGV monitoring (alternative crash path) --- ## Depending on heap state, the double-free may produce a SIGSEGV (signal 11) ## rather than SIGABRT. Both are abnormal for production Apache workers. -a always,exit -F arch=b64 -S kill -F a1=11 -k cve_2026_23918_sigsegv -a always,exit -F arch=b32 -S kill -F a1=11 -k cve_2026_23918_sigsegv ## --- Shell execution by web server user (RCE outcome - Debian/Ubuntu) --- ## If RCE is achieved via the mmap allocator path, the attacker's payload ## runs as the Apache worker user (www-data on Debian/Ubuntu, uid=33). ## Legitimate Apache does not exec() a shell. Any execve() of bash/sh/dash ## by www-data is anomalous and warrants immediate investigation. -a always,exit -F arch=b64 -S execve -F uid=33 -F exe=/bin/bash -k cve_2026_23918_rce_shell_deb -a always,exit -F arch=b64 -S execve -F uid=33 -F exe=/bin/sh -k cve_2026_23918_rce_shell_deb -a always,exit -F arch=b64 -S execve -F uid=33 -F exe=/bin/dash -k cve_2026_23918_rce_shell_deb -a always,exit -F arch=b64 -S execve -F uid=33 -F exe=/usr/bin/python3 -k cve_2026_23918_rce_shell_deb -a always,exit -F arch=b64 -S execve -F uid=33 -F exe=/usr/bin/perl -k cve_2026_23918_rce_shell_deb ## --- Shell execution by web server user (RCE outcome - RHEL/Rocky, uid=48) --- -a always,exit -F arch=b64 -S execve -F uid=48 -F exe=/bin/bash -k cve_2026_23918_rce_shell_rhel -a always,exit -F arch=b64 -S execve -F uid=48 -F exe=/bin/sh -k cve_2026_23918_rce_shell_rhel ## --- Web root file creation (web shell deployment) --- ## Post-RCE, the most common next step is writing a persistent web shell. ## Monitor web root directories for new file creation and write operations. ## Adjust paths for your DocumentRoot configuration. -w /var/www/html -p wa -k cve_2026_23918_webroot_write -w /var/www -p wa -k cve_2026_23918_webroot_write -w /srv/www -p wa -k cve_2026_23918_webroot_write -w /usr/share/apache2/default-site -p wa -k cve_2026_23918_webroot_write ## --- Outbound network connections by web server user (reverse shell) --- ## Apache workers do not normally initiate outbound TCP connections. ## connect() syscalls by www-data/apache indicate post-exploitation activity. -a always,exit -F arch=b64 -S connect -F uid=33 -k cve_2026_23918_apache_outbound_deb -a always,exit -F arch=b64 -S connect -F uid=48 -k cve_2026_23918_apache_outbound_rhel ## --- Apache config and module modification (persistence) --- ## An attacker with RCE may attempt to persist by modifying Apache config ## or dropping a malicious module. Watch for writes to config directories. -w /etc/apache2 -p wa -k cve_2026_23918_apache_config -w /etc/httpd -p wa -k cve_2026_23918_apache_config -w /etc/apache2/mods-enabled -p wa -k cve_2026_23918_apache_mods ``` ### 关联崩溃事件与网络活动 部署后，使用此 `ausearch` 单行命令检查“崩溃后获取 shell”的序列： ``` # Find all CVE-2026-23918 related auditd events from the past 24 hours sudo ausearch -k cve_2026_23918_sigabrt \ -k cve_2026_23918_rce_shell_deb \ -k cve_2026_23918_rce_shell_rhel \ -k cve_2026_23918_webroot_write \ --start yesterday -i # Look for www-data process trees that include shell execution sudo ausearch -k cve_2026_23918_rce_shell_deb --start today -i | grep -A5 "exe=" ``` ## Wazuh 规则 保存为自定义规则文件（例如，`/var/ossec/etc/rules/local_rules.xml`）。 ``` auditd cve_2026_23918_sigabrt CVE-2026-23918: SIGABRT sent to process — possible Apache worker double-free crash (DoS exploitation) cve,denial_of_service,apache,http2, auditd cve_2026_23918_sigsegv CVE-2026-23918: SIGSEGV sent to process — possible Apache worker memory corruption crash cve,denial_of_service,apache,http2, 113001 CVE-2026-23918 CRITICAL: Multiple Apache worker SIGABRT crashes within 60 seconds — active DoS exploitation in progress cve,denial_of_service,apache,http2,high_confidence, auditd cve_2026_23918_rce_shell_deb|cve_2026_23918_rce_shell_rhel CVE-2026-23918 CRITICAL: Shell executed by web server user (www-data/apache) — RCE likely achieved, immediate incident response required cve,rce,privilege_escalation,apache,http2,high_confidence, auditd cve_2026_23918_webroot_write CVE-2026-23918: File written to web root directory — possible web shell deployment post-RCE cve,rce,webshell,apache, auditd cve_2026_23918_apache_outbound_deb|cve_2026_23918_apache_outbound_rhel CVE-2026-23918: Outbound TCP connection by web server user — possible reverse shell post-RCE cve,rce,reverse_shell,apache, 113004 auditd cve_2026_23918_apache_outbound_deb|cve_2026_23918_apache_outbound_rhel CVE-2026-23918 CRITICAL: Shell execution AND outbound connection by web server user — reverse shell active cve,rce,reverse_shell,apache,high_confidence, auditd cve_2026_23918_apache_config|cve_2026_23918_apache_mods CVE-2026-23918: Apache config or module directory modified — possible attacker persistence attempt cve,rce,persistence,apache, apache-errorlog child pid \d+ exit signal Aborted|child process \d+ still did not exit|segmentation fault CVE-2026-23918: Apache child process crash in error log — possible double-free DoS exploitation cve,denial_of_service,apache,http2, 113009 113001 CVE-2026-23918: Apache error log crash + auditd SIGABRT — high-confidence active DoS, investigate immediately cve,denial_of_service,apache,http2,high_confidence, ``` ## YARA 规则 保存为 `cve_2026_23918.yar` ``` rule CVE_2026_23918_PostExploit_PHP_WebShell { meta: description = "Post-exploitation PHP web shell — possible CVE-2026-23918 outcome" author = "Detection Engineering" reference = "https://insomnisec.com/posts/2026-05-05-cve-2026-23918-apache-http2-rce_v2/" cve = "CVE-2026-23918" date = "2026-05-08" severity = "Critical" note = "Not specific to CVE-2026-23918 trigger — detects likely post-exploitation artifacts" strings: $php_open = "&" ascii nocase // Netcat reverse shell $nc_e = "nc -e /bin/" ascii nocase $nc_c = "nc -c /bin/" ascii nocase $ncat_e = "ncat -e /bin/" ascii nocase // Python reverse shell $py_socket = "import socket,subprocess" ascii $py_pty = "import pty;pty.spawn" ascii // Perl reverse shell $perl_rev = "perl -e 'use Socket" ascii // Common reverse shell via curl/wget pipe to bash $curl_bash = "curl http" ascii $wget_bash = "wget -O- http" ascii $bash_pipe = "|bash" ascii condition: filesize < 1MB and ( ($bash_tcp and $bash_rev) or ($nc_e or $nc_c or $ncat_e) or ($py_socket and $py_pty) or $perl_rev or ($curl_bash and $bash_pipe) or ($wget_bash and $bash_pipe) ) } rule CVE_2026_23918_ExploitTool_Artifacts { meta: description = "CVE-2026-23918 exploit tool artifacts — for scanning attacker staging hosts or memory dumps" author = "Detection Engineering" reference = "https://hadrian.io/blog/cve-2026-23918-apache-http-server-double-free-rce-in-http-2-implementation" cve = "CVE-2026-23918" date = "2026-05-08" severity = "High" note = "Matches known PoC tool strings — not expected in production Apache environments" strings: // h2_mplx.c specific identifier from public PoC analysis $mplx_ref = "h2_mplx_c1_client_rst" ascii $spurge_ref = "c1_purge_streams" ascii $stream_ref = "h2_stream_destroy" ascii // CVE reference strings that appear in PoC tools $cve_str = "CVE-2026-23918" ascii $version_target = "Apache/2.4.66" ascii // HTTP/2 HEADERS + RST_STREAM frame bytes (common in PoC HTTP/2 libraries) // HTTP/2 HEADERS frame header: type=0x01 $h2_headers_frame = { 00 00 ?? 01 } // HTTP/2 RST_STREAM frame header: type=0x03 with payload=4 $h2_rst_frame = { 00 00 04 03 00 } // Python h2 library usage (hyper-h2) typical in PoC tools $hyper_h2 = "import h2" ascii $h2_connection = "H2Connection" ascii condition: ( ($mplx_ref or $spurge_ref or $stream_ref) or ($cve_str and $version_target) or ($hyper_h2 and $h2_connection and $h2_rst_frame) ) } ``` ## MISP 事件模板 保存为 `misp_cve_2026_23918.json` 并通过 MISP → Events → Import 导入。 ``` { "Event": { "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "info": "CVE-2026-23918 Apache mod_http2 Double-Free — Remote DoS and possible RCE", "threat_level_id": "2", "analysis": "2", "date": "2026-05-04", "Attribute": [ { "type": "vulnerability", "category": "External analysis", "to_ids": false, "uuid": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "comment": "CVE identifier", "value": "CVE-2026-23918" }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "c3d4e5f6-a7b8-9012-cdef-012345678902", "comment": "Vulnerability description", "value": "Double-free in Apache HTTP Server 2.4.66 mod_http2 h2_mplx.c stream cleanup path. Triggered by HTTP/2 HEADERS frame immediately followed by RST_STREAM with non-zero error code before stream registration. Results in DoS (confirmed in-wild) or RCE (lab-demonstrated) in multi-threaded MPM configurations." }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "d4e5f6a7-b8c9-0123-defa-123456789003", "comment": "Affected component", "value": "Apache HTTP Server 2.4.66, mod_http2 module, h2_mplx.c — multi-threaded MPM only (event, worker). MPM prefork is NOT affected." }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "e5f6a7b8-c9d0-1234-efab-234567890104", "comment": "RCE precondition", "value": "RCE requires APR mmap allocator (default on Debian/Ubuntu and official Apache Docker images). Scoreboard at fixed address bypasses ASLR for practical exploitation." }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "f6a7b8c9-d0e1-2345-fabc-345678901205", "comment": "Fix commit — r1930444", "value": "https://svn.apache.org/viewvc?view=revision&revision=1930444" }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "a7b8c9d0-e1f2-3456-abcd-456789012306", "comment": "Fix commit — r1930796", "value": "https://svn.apache.org/viewvc?view=revision&revision=1930796" }, { "type": "text", "category": "Other", "to_ids": true, "uuid": "b8c9d0e1-f2a3-4567-bcde-567890123407", "comment": "IoC: HTTP/2 frame trigger sequence", "value": "HTTP/2 HEADERS frame (type=0x01) immediately followed by RST_STREAM (type=0x03) with non-zero error code, same stream ID, before multiplexer stream registration" }, { "type": "text", "category": "Other", "to_ids": true, "uuid": "c9d0e1f2-a3b4-5678-cdef-678901234508", "comment": "IoC: RST_STREAM frame bytes (raw)", "value": "00 00 04 03 00 [stream_id 4 bytes] [non-zero error code 4 bytes]" }, { "type": "text", "category": "Other", "to_ids": true, "uuid": "d0e1f2a3-b4c5-6789-defa-789012345609", "comment": "IoC: Server response header (vulnerable version)", "value": "Server: Apache/2.4.66" }, { "type": "text", "category": "Other", "to_ids": true, "uuid": "e1f2a3b4-c5d6-7890-efab-890123456710", "comment": "Exploitation status", "value": "DoS exploitation confirmed in the wild. RCE demonstrated in lab conditions; widespread weaponization anticipated." }, { "type": "text", "category": "Other", "to_ids": false, "uuid": "f2a3b4c5-d6e7-8901-fabc-901234567811", "comment": "Immediate mitigation", "value": "Disable mod_http2: remove 'Protocols h2 h2c' from Apache config and restart. Or switch to MPM prefork. Definitive fix: upgrade to Apache HTTP Server 2.4.67." }, { "type": "url", "category": "External analysis", "to_ids": false, "uuid": "a3b4c5d6-e7f8-9012-abcd-012345678912", "comment": "Apache official advisory", "value": "https://httpd.apache.org/security/vulnerabilities_24.html" }, { "type": "url", "category": "External analysis", "to_ids": false, "uuid": "b4c5d6e7-f8a9-0123-bcde-123456789013", "comment": "oss-security disclosure", "value": "https://seclists.org/oss-sec/2026/q2/387" } ], "Object": [ { "name": "vulnerability", "meta-category": "vulnerability", "Attribute": [ { "type": "vulnerability", "object_relation": "id", "value": "CVE-2026-23918" }, { "type": "cvss-score", "object_relation": "cvss-score", "value": "8.8" }, { "type": "text", "object_relation": "summary", "value": "Apache mod_http2 double-free via HTTP/2 early reset — remote DoS and possible RCE" } ] } ] } } ``` ## 补丁与修复 ### 升级路径 | 版本 | 状态 | 操作 | |---|---|---| | 2.4.67 | **已修补** | 目标版本 | | 2.4.66 | **受影响** | 立即升级 | | 2.4.65 及更早版本 | 不受此特定 Bug 影响 | 可能存在其他已知 CVE — 请查阅公告 | 各发行版更新命令： | 发行版 | 命令 | |---|---| | Ubuntu / Debian | `sudo apt-get update && sudo apt-get upgrade apache2` | | RHEL / Rocky / AlmaLinux | `sudo dnf update httpd` | | Amazon Linux | `sudo dnf update httpd` | | SUSE / openSUSE | `sudo zypper update apache2` | | Arch Linux | `sudo pacman -Syu` | 升级后，请验证： ``` apache2 -v # or httpd -v # Should show: Apache/2.4.67 ``` ### 2.4.67 中修补的其他 CVE 2.4.67 版本修复了五个 CVE。与 CVE-2026-23918 并列最重要的两个是： - **CVE-2026-24072** — Windows 上通过 CGI 脚本处理实现的提权（仅影响 Windows 部署） - **CVE-2026-24081** — `mod_rewrite` 表达式评估允许 `.htaccess` 作者以 httpd 用户身份读取任意文件（影响 2.4.66 及更早版本，报告于 2026-01-20） - **CVE-2026-24088** — 恶意 AJP 后端通过构造的 AJP 消息在 `mod_proxy_ajp` 中造成的堆缓冲区溢出（影响 2.4.66 及更早版本） 升级到 2.4.67 可以通过单次操作修复全部五个漏洞。 ## 关键 IoCs 参考 | 指标 | 值 | 置信度 | 备注 | |---|---|---|---| | 受影响版本 | Server 头中的 `Apache/2.4.66` | **高** | 仅出现即表明存在风险 | | HTTP/2 帧类型 | 带有非零错误码的 RST_STREAM (0x03) | 中等 | 正常的连接错误也会产生相同特征 | | 帧字节模式 | `00 00 04 03 00` (RST_STREAM 头) | 中等 | 结合阈值 = 高 | | RST 泛洪阈值 | 30 秒内来自同一源的 >10 个 RST_STREAM/非零错误 | **高** | 与野外 DoS 工具一致 | | Apache worker 的 SIGABRT | 发送给 `httpd`/`apache2` PID 的 signal 6 | **高** | 正常的 worker 不会中止 | | www-data 执行 shell | uid 为 33 或 48 的 `execve()` 执行了 bash/sh | **严重** | 强烈表明发生 RCE | | Apache 用户出站连接 | uid 为 33 或 48 向外部 IP 发起 `connect()` | **严重** | 强烈表明存在反向 shell | | Web 根目录中创建 Web 文件 | 在 `/var/www`写入新的 `.php`/`.py`/`.sh` | **高** | 可能表明部署了 web shell | | MPM 类型 | `mpm_prefork` | 不适用 — **不受影响** | 使用 `apachectl -V \| grep MPM` 验证 | | RCE 先决条件 | APR mmap 分配器 | 视环境而定 | Debian/Ubuntu 默认配置；非 RHEL 默认配置 | *本检测包根据 [httpd.apache.org/security](https://httpd.apache.org/security/) 上的 Apache HTTP Server 安全公告进行维护。如果您观察到这些规则未涵盖的漏洞利用变体或攻击后模式，请提交 issue。*

标签：Apache HTTP Server, CISA项目, CVE-2026-23918, DoS, HTTP/2, Metaprompt, ModSecurity, PoC, RCE, Suricata, Wazuh, Web安全, YARA, 云资产可视化, 内存破坏, 双重释放, 威胁情报, 开发者工具, 拒绝服务, 暴力破解, 漏洞响应, 现代安全运营, 编程工具, 网络安全, 蓝队分析, 规则包, 远程代码执行, 隐私保护