{"id":7492,"date":"2021-10-08T19:22:42","date_gmt":"2021-10-09T02:22:42","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7492"},"modified":"2023-04-05T12:37:43","modified_gmt":"2023-04-05T19:37:43","slug":"cve-2021-41773-cve-2021-42013-apache-web-servers-are-vulnerable-patch-now","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/cve-2021-41773-cve-2021-42013-apache-web-servers-are-vulnerable-patch-now\/","title":{"rendered":"CVE-2021-41773 &#038; CVE-2021-42013: Apache Web Servers are Vulnerable, Patch Now!"},"content":{"rendered":"<p dir=\"ltr\">On October 4, 2021, Apache <a href=\"https:\/\/httpd.apache.org\/security\/vulnerabilities_24.html#CVE-2021-33193\">announced<\/a> fixes for a couple of vulnerabilities, including a zero-day flaw that affects Apache HTTP Server version 2.4.49\u2014a widely used open-source, cross-platform web server for Unix and Windows. This actively exploited zero-day vulnerability is called <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-41773\">CVE-2021-41773<\/a>, a Remote Code Execution bug that allows threat actors to map URLs to files outside the expected document root by launching a path traversal and file disclosure attack.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">A day later, Apache discovered that their earlier patch for the actively exploited CVE-2021-41773 vulnerability was insufficient and published an upgraded version of 2.4.51. This new path traversal vector is being tracked as <a href=\"https:\/\/httpd.apache.org\/security\/vulnerabilities_24.html#CVE-2021-33193\">CVE-2021-42013<\/a>. CISA has also <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/10\/07\/apache-releases-http-server-version-2451-address-vulnerabilities\">issued<\/a> an alert for these vulnerabilities, which are likely to be exploited in ongoing attacks. Taking the CISA alert into account, we highly recommend users to patch immediately.<\/p>\n<h2 dir=\"ltr\">Proof-of-Concept: Exacerbating the Issue<\/h2>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">Recently, a security researcher posted a PoC exploit in public, quoting that this flaw could be used to execute remote code only when mod_cgi is enabled. Once enabled, an attacker can execute arbitrary programs via HTTP POST requests. A single, seemingly harmless HTTP request targeted at your server might be enough for an attacker to totally seize control of it.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">Moreover, this vulnerability is already well known and easy to exploit, with Proof-of-Concept code circulating extensively on Twitter, making it extremely critical to patch immediately.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 500px; height: 534px;\" src=\"https:\/\/lh4.googleusercontent.com\/kgxugeC1M01BPTZVgIHKdJRnMevqYpnULP3Bzyz3kYgbBY10LHvev9Pe_gRdyuQW5tHWVcz96sfIlWc4xZf7ZzCdBGgl3twhYe3jfPOw8bdTHA_y1QQObJmS7kdunGJhTlkDo9SA=s0\" \/><\/p>\n<p dir=\"ltr\">On October 5, 2021, just a day after the inadequate fix was released, a security analyst developed an <a href=\"https:\/\/github.com\/RootUp\/PersonalStuff\/blob\/master\/http-vuln-cve-2021-41773.nse\">Nmap script<\/a> to detect this path transversal vulnerability.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 800px; height: 188px;\" src=\"https:\/\/lh3.googleusercontent.com\/FNnhdWcIP_FFcOKNEWG22ELf-F612ar933wc3tZ3jTa9Ra8qDvCApBjiOXHt5kWjWfK4HOsIUdFurrlj8sUG2DkYAHsXlcg3X5EPSig_TzU3qTFf0H3rBivek9iCpZKQriDjl-g5=s0\" \/><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><em><strong>Nmap Script<\/strong><\/em><\/p>\n<p>&nbsp;<\/p>\n<h2 dir=\"ltr\">Possible Data Leakage<\/h2>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">Additionally, exploits of this issue may also result in the source leakage of interpreted files, such as CGI scripts. For successful exploitation, the target must be running Apache HTTP Server version 2.4.49 or 2.4.50, and the &#8220;Requires All Denied&#8221; access control setting must be disabled. However, this appears to be the default configuration. After the disclosure of the PoC, hackers have been able to reproduce the exploit code of the vulnerability.<\/p>\n<p>&nbsp;<\/p>\n<h2 dir=\"ltr\">About these Vulnerabilities<\/h2>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">Researchers at Cyber Security Works (CSW) analyzed both the high-impact vulnerabilities from a pentester\u2019s perspective. Here is our analysis:<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Successful exploitation could allow unauthorized users to mislead the web server into returning files, which these users should not have been able to access, and lead to further cyberattacks or data breaches.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The vulnerabilities only affect Apache HTTP Server versions 2.4.49 and 2.4.50; those with a different access configuration are not vulnerable to the flaws.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The CVEs have not yet been assigned CVSS scores.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CISA issued an alert to <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/10\/06\/apache-releases-security-update-apache-http-server\">patch<\/a> these vulnerabilities immediately.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Multiple known exploit codes have been released in the wild. However, the vendor has stated in its <a href=\"https:\/\/httpd.apache.org\/security\/vulnerabilities_24.html#CVE-2021-33193\">advisory<\/a> that CVE-2021-41773 is \u201cknown to be exploited in the wild.\u201d<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2021-41773\">CVE-2021-41773<\/a> and CVE-2021-42013 have both been categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory (&#8216;Path Traversal&#8217;)), which falls under the <a href=\"https:\/\/cwe.mitre.org\/top25\/archive\/2021\/2021_cwe_top25.html\">2021 CWE Top 10 Most Dangerous Software Weaknesses<\/a>.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Popular scanners such as Nessus and Qualys were able to detect <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2021-41773\">CVE-2021-41773<\/a>.<\/p>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">The vulnerabilities are found to be trending in the following regions:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/eKSl1LJNZCL01CBXbmGZEIxEL-58Kgfj8giHBesiLeyddH8URcag3S_ZzBVRlwzGhtfLi0t-OQEi-gCfxpmCqj7qAZ3-n7rCkaITMKb1rL83817pgMDlnq30vVmwC0IZ1NlqrrUi=s0\" width=\"651\" height=\"191\" \/><\/p>\n<h2 dir=\"ltr\">Exposure Analysis<\/h2>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">According to the Shodan search engine, there are more than 111,000\u00a0open instances of Apache HTTP servers worldwide, with 39% in the United States followed by 10% in Germany.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 300px; height: 433px;\" src=\"https:\/\/lh5.googleusercontent.com\/A3_aUU3tFvsZ7iEuHvX2xzG2z_wnrv_KXsT7tgCJd4lvngOVXA9Uu2cugfqmXl404PQtDP4rwVQPBn9mEodKVyHJjMT86W_i71sHdIXciS-9Ps8xoEUFd7qrT-u-Zp-htW5BIxEH=s0\" \/><\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">While the PoC is gaining traction in the wild, these vulnerabilities might soon be leveraged by ransomware groups, resulting in organizations compromising their data. We urge Apache users to protect themselves from these high-impact path traversal vulnerabilities and ensure that Apache Servers run patched versions 2.4.51 and above.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Worried about cyber attacks? Are you sure there are no gaps in your security?<\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>We can help shrink your attack surface. <a href=\"https:\/\/cybersecurityworks.com\/get-quote.php\">Talk to us!<\/a><\/strong><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On October 4, 2021, Apache announced fixes for a couple of vulnerabilities, including a zero-day flaw that affects Apache HTTP Server version 2.4.49\u2014a widely used open-source, cross-platform web server for Unix and Windows.<\/p>\n","protected":false},"author":1,"featured_media":7493,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[80,83,123],"tags":[158,446,250,447,139,424,149],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7492"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7492"}],"version-history":[{"count":3,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7492\/revisions"}],"predecessor-version":[{"id":17393,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7492\/revisions\/17393"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/7493"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7492"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7492"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7492"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}