Apache HTTP Server Project CVE-2021-41773 Vulnerability Actively Exploited in the Wild

Originally published at: Apache HTTP Server Project CVE-2021-41773 Vulnerability Actively Exploited in the Wild - CloudSEK

Category

Vulnerability Intelligence

Vulnerability Class

Path Traversal, File Disclosure

CVE ID

CVE-2021-41773

CVSS:3.0 Score

N/A

TLP#

GREEN

Reference

*https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability

#https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

  • CloudSEK’s Threat Intelligence team discovered a post, on a cybercrime forum, describing the newly identified path traversal and file disclosure vulnerability, CVE-2021-42773, in Apache HTTP Server.
  • The Apache HTTP Server Project is an open-source HTTP server for operating systems including UNIX and Windows.
  • This vulnerability is being actively exploited in the wild and has affected only version 2.4.49 of the server.
  • Apache recently released an advisory about the same, along with a patch in version 2.4.50 of the Server.
  • Threat actors can exploit this vulnerability to poison server logs to carry out remote code execution and/ or exfiltrate sensitive data.
  • A new group of Chinese hackers are targeting high ranking officials in Southeast Asia by exploiting vulnerabilities in Apache, Oracle, MS Exchange, etc.
![|1204x416](upload://vdJlbS1MSjqhxqN4DA3wGpFoGu1.png)A threat actor’s post describing CVE-2021-41773 on a cybercrime forum

Analysis


  • Apache HTTP Server is one of the most widely used server software around the world. The vulnerability tracked as CVE-2021-41773 is a path traversal and file disclosure vulnerability in Apache HTTP Server which is being exploited in the wild, as a zero-day.

  • This active exploitation necessitated the release of an expedited patch by Apache, on 05 October 2021.
  • According to the advisory issued by Apache, “An attacker could use a path traversal attack to map URLs to files outside the expected document root.”

  • This problem arises from a flaw in how the Apache server converts between multiple URL path schemes, often known as path normalization. Normalizing a path is the process where the coder modifies the string that identifies a path or a file, so that it conforms to a valid path on the target operating system.
  • Successful exploitation of this vulnerability would give a remote attacker access to arbitrary files outside of the document root on the vulnerable web server.
  • According to the advisory, this flaw could also leak “the source of interpreted files like CGI scripts” which may contain sensitive information that attackers can exploit for further attacks.

Information from Open source

According to a Shodan search, at the time this report was created, there were 112,756 vulnerable versions of the Apache HTTP Server active on the internet.

![A Shodan search shows that there are 112,756 vulnerable versions of Apache HTTP server active on the internet at the time this report was written.|1093x465](upload://5jw3JCdVPOpSU4EzmseriIxP4ML.png)

Impact & Mitigation

Impact Mitigation
  • Attackers could use a path traversal attack to map URLs to files outside the expected document root and access sensitive files, passwords, etc.
  • This flaw could leak the source of interpreted files such as CGI scripts.
  • This vulnerability could even lead to an RCE (Remote code execution) attack by poisoning server logs.
  • RCE can lead to devastating attacks including but not limited to Ransomware campaigns.
  • Immediately update Apache HTTP Server to the patched version 2.4.50.

 

References

Advisory issued by Apache for the vulnerabilities in Apache HTTP Server version 2.4

1 Like