On October 4, 2021, Apache announced fixes for a couple of vulnerabilities, including a zero-day flaw that affects Apache HTTP Server version 2.4.49—a widely used open-source, cross-platform web server for Unix and Windows. This actively exploited zero-day vulnerability is called CVE-2021-41773, a Remote Code Execution bug that allows threat actors to map URLs to files outside the expected document root by launching a path traversal and file disclosure attack.
A day later, Apache discovered that their earlier patch for the actively exploited CVE-2021-41773 vulnerability was insufficient and published an upgraded version of 2.4.51. This new path traversal vector is being tracked as CVE-2021-42013. CISA has also issued an alert for these vulnerabilities, which are likely to be exploited in ongoing attacks. Taking the CISA alert into account, we highly recommend users to patch immediately.
Proof-of-Concept: Exacerbating the Issue
Recently, a security researcher posted a PoC exploit in public, quoting that this flaw could be used to execute remote code only when mod_cgi is enabled. Once enabled, an attacker can execute arbitrary programs via HTTP POST requests. A single, seemingly harmless HTTP request targeted at your server might be enough for an attacker to totally seize control of it.
Moreover, this vulnerability is already well known and easy to exploit, with Proof-of-Concept code circulating extensively on Twitter, making it extremely critical to patch immediately.
On October 5, 2021, just a day after the inadequate fix was released, a security analyst developed an Nmap script to detect this path transversal vulnerability.
Possible Data Leakage
Additionally, exploits of this issue may also result in the source leakage of interpreted files, such as CGI scripts. For successful exploitation, the target must be running Apache HTTP Server version 2.4.49 or 2.4.50, and the “Requires All Denied” access control setting must be disabled. However, this appears to be the default configuration. After the disclosure of the PoC, hackers have been able to reproduce the exploit code of the vulnerability.
About these Vulnerabilities
Researchers at Cyber Security Works (CSW) analyzed both the high-impact vulnerabilities from a pentester’s perspective. Here is our analysis:
Successful exploitation could allow unauthorized users to mislead the web server into returning files, which these users should not have been able to access, and lead to further cyberattacks or data breaches.
The vulnerabilities only affect Apache HTTP Server versions 2.4.49 and 2.4.50; those with a different access configuration are not vulnerable to the flaws.
The CVEs have not yet been assigned CVSS scores.
CISA issued an alert to patch these vulnerabilities immediately.
Multiple known exploit codes have been released in the wild. However, the vendor has stated in its advisory that CVE-2021-41773 is “known to be exploited in the wild.”
CVE-2021-41773 and CVE-2021-42013 have both been categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)), which falls under the 2021 CWE Top 10 Most Dangerous Software Weaknesses.
Popular scanners such as Nessus and Qualys were able to detect CVE-2021-41773.
The vulnerabilities are found to be trending in the following regions:
According to the Shodan search engine, there are more than 111,000 open instances of Apache HTTP servers worldwide, with 39% in the United States followed by 10% in Germany.
While the PoC is gaining traction in the wild, these vulnerabilities might soon be leveraged by ransomware groups, resulting in organizations compromising their data. We urge Apache users to protect themselves from these high-impact path traversal vulnerabilities and ensure that Apache Servers run patched versions 2.4.51 and above.
Worried about cyber attacks? Are you sure there are no gaps in your security?
We can help shrink your attack surface. Talk to us!