Threat Update
There are two vulnerabilities in Apache HTTP Web Server version 2.4.49 that are under active exploitation. The first vulnerability enables an attacker to perform path traversal, file disclosure, and remote code execution (RCE) abilities. The second allows the attacker to perform a denial of service (DoS) attack on a server.
Technical Detail & Additional Information
WHAT IS THE THREAT?
The first vulnerability is an actively exploited zero-day exploit, tracked as CVE-2021-41773, that allows attackers to map URLs to files outside the expected document root by launching a path traversal attack. In a path traversal attack, the threat actor sends requests to access backend or sensitive server directories that should be inaccessible. Normally, these requests would be blocked. However, this vulnerability allows filters to be bypassed by using encoded characters (ASCII) for the URLs. Exploitation may lead to the leakage of sources of interpreted files, such as CGI scripts. Security researchers have also determined that this vulnerability may also lead to RCE. The second vulnerability, tracked as CVE-2021-41524, is a null pointer dereference detected during HTTP/2 request processing. It allows an attacker to perform a DoS attack on the server.
Both vulnerabilities exist only in Apache Server version 2.4.49, though only the first, CVE-2021-41773, is known to be under active exploitation at this time.
WHY IS IT NOTEWORTHY?
As an open-source, cross-platform web server, Apache HTTP Server is popular for being free and versatile. As a result, thousands of organizations are using this technology and exploitation of vulnerabilities may result in widespread impacts. At time of publication, there are over a hundred thousand Apache HTTP Server 2.4.29 deployments online, exposing a bounty of opportunities for exploitation by attackers.
WHAT IS THE EXPOSURE OR RISK?
Any organization running Apache HTTP Server 2.4.49, released only a few weeks ago, may be at risk of exploitation of these vulnerabilities. Organizations running other versions of the Apache HTTP Server are not at risk of exploitation due to the aforementioned vulnerabilities. For the risk of RCE in particular, a deployment must be the vulnerable 2.4.49 version, have “mod-cgi” enabled on the server, and have the default “Require all denied” option missing from its configuration.
WHAT ARE THE RECOMMENDATIONS?
The Apache Software Foundation has released version 2.4.50 of the HTTP Web Server to address the two vulnerabilities. Barracuda MSP recommends that those running version 2.4.49 upgrade to the latest version, 2.4.50, immediately. Upgrading to version 2.4.50 is preferable to simply using access control configuration as a mitigation as on a default installation as an attacker may still use the vulnerability to obtain source code of interpreted files like CGI scripts.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/apache-fixes-zero-day-vulnerability-exploited-in-the-wild-patch-now/amp/
- https://www.bleepingcomputer.com/news/security/actively-exploited-apache-0-day-also-allows-remote-code-execution/
- https://nvd.nist.gov/vuln/detail/CVE-2021-41524
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
If you have any questions, please contact our Security Operations Center.