Update 10/8/2021:
Apache Patches Actively Exploited Directory Traversal Flaw In Popular HTTP Server (again)
The popular Apache HTTP Server has received an update to patch a directory traversal vulnerability on versions 2.4.49 and 2.4.50, which was originally thought to fix the issue but didn’t.
Administrators should verify affected version and apply updates or mitigations as needed.
Update:
Apache has now announced that it has released 2.4.51 to address an incomplete fix to the directory traversal flaw announced earlier in the week. In addition to the original vulnerability, CVE-2021-41773, they are tracking a new Directory Traversal vulnerability impacting both 2.4.49 and 2.4.50 (CVE-2021-42013).
CISA released an updated advisory and are warning about active scanning and exploit attempts in the wild.
Background
Originally released in 1995, Apache Software Foundation’s prolific HTTP Server serves approximately 25% of the top million websites, according to Netcraft.
Apache has released an update to patch a new vulnerability in the popular HTTP Server, tracked as CVE-2021-41773.
A Proof of Concept exploit exists and there are various reports of active exploits in the wild.
Vulnerability details
The two vulnerabilities, CVE-2021-41773 and CVE-2021-42013, are flaws that allow a user to traverse outside the traditional HTTP server document root (where the web site application files are stored).
If files outside of the document root are not protected by the “require all denied” configuration (this is the application default), the request can succeed.
This allows for an attacker to access the underlying system data, potentially exposing information such as system configuration files or proprietary CGI script source code.
In addition, BleepingComputer is reporting that a PoC exists that is capible of Remote Code Execution (RCE) if CGI support is enabled through mod_cgi.
Mitigations
This issue only affects Apache 2.4.49 and 2.4.50, but not earlier versions. It is recommended you patch Apache HTTP Server to 2.4.51 or above.
It is highly recommended that you ensure “Require All Denied” is configured for your server if possible. Not only is this an effective mitigation for this vulnerability, but it could harden the system against additional path traversal attacks discovered in the future.
The fact that this vulnerability can be effectively mitigated by software configuration shows the importance of hardening servers according to industry best-practices. This is especially important for publicly facing web servers.
Resources
Updated CISA advisory
https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities
NVD Entry CVE-2021-41773
https://nvd.nist.gov/vuln/detail/CVE-2021-41773
NVD Entry CVE-2021-42013
https://nvd.nist.gov/vuln/detail/CVE-2021-42013
Apache Release Notes Discussing CVE-2021-41773
https://httpd.apache.org/security/vulnerabilities_24.html
BleepingComputer Article Suggesting RCE Possible If CGI Enabled
https://www.bleepingcomputer.com/news/security/actively-exploited-apache-0-day-also-allows-remote-code-execution/
Original advisory below :
Apache Patches Actively Exploited Directory Traversal Flaw In Popular HTTP Server
The popular Apache HTTP Server has received an update to patch a directory traversal vulnerability. Administrators should verify affected version and apply updates or mitigations as needed.
Background:
Originally released in 1995, Apache Software Foundation’s prolific HTTP Server serves approximately 25% of the top million websites, according to Netcraft.
Apache has released an update to patch a new vulnerability in the popular HTTP Server, tracked as CVE-2021-41773.
A Proof of Concept exploit exists and there are various reports of active exploits in the wild.
Vulnerability details:
CVE-2021-41773 is a flaw that allows a user to traverse outside the traditional HTTP server document root (where the web site application files are stored).
If files outside of the document root are not protected by the “require all denied” configuration (this is the application default), the request can succeed.
This allows for an attacker to access the underlying system data, potentially exposing information such as system configuration files or proprietary CGI script source code.
In addition, BleepingComputer is reporting that a PoC exists that is capible of Remote Code Execution (RCE) if CGI support is enabled through mod_cgi.
Mitigations:
This issue only affects Apache 2.4.49 and not earlier versions. It is recommended you patch Apache HTTP Server to 2.4.50 or above.
It is highly recommended that you ensure “Require All Denied” is configured for your server if possible. Not only is this an effective mitigation for this vulnerability, but it could harden the system against additional path traversal attacks discovered in the future.
The fact that this vulnerability can be effectively mitigated by software configuration shows the importance of hardening servers according to industry best-practices. This is especially important for publicly facing web servers.
Find out more about what makes our security different:
Resources:
NVD Entry
https://nvd.nist.gov/vuln/detail/CVE-2021-41773
Apache Release Notes Discussing CVE-2021-41773
https://httpd.apache.org/security/vulnerabilities_24.html
BleepingComputer Article Suggesting RCE Possible If CGI Enabled
https://www.bleepingcomputer.com/news/security/actively-exploited-apache-0-day-also-allows-remote-code-execution/
