[TheRecord] Apache fixes actively exploited web server zero-day

The Apache Software Foundation has released on Monday a security patch to address a vulnerability in its HTTP Web Server project that has been actively exploited in the wild.

Tracked as CVE-2021-41773, the vulnerability affects only Apache web servers running version 2.4.49 and occurs because of a bug in how the Apache server converts between different URL path schemes (a process called path or URI normalization).

“An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the ASF team said in the Apache HTTP Server 2.4.50 changelog.

“If files outside of the document root are not protected by ‘require all denied‘ these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts,” Apache engineers added.

Attacks exploiting this bug were spotted by Ash Daulton along with the cPanel Security Team, both of which reported the issue to the Apache team.

Hours after the 2.4.50 version was released, several security researchers were able to reproduce the vulnerability and release multiple proof-of-concept exploits on Twitter and GitHub.

This is fun CVE-2021-41773

https://HOST/xx/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd@ptswarm do you have a Test Server around for me? 😅https://t.co/NJJ8BNXTUK pic.twitter.com/WtHoICKcPN

— lofi (@lofi42) October 5, 2021

Just got worked exploit PoC for path traversal in Apache HTTP Server 2.4.49 (CVE-2021-41773) with my collab again @yabeow #bugbountytips 👀 pic.twitter.com/oGHtbWwKHT

— Nguyen The Duc (@ducnt_) October 5, 2021

🔥 We have reproduced the fresh CVE-2021-41773 Path Traversal vulnerability in Apache 2.4.49.

If files outside of the document root are not protected by “require all denied” these requests can succeed.

Patch ASAP! https://t.co/6JrbayDbqG pic.twitter.com/AnsaJszPTE

— PT SWARM (@ptswarm) October 5, 2021

Currently, the Apache HTTP Server is either #1 or #2 on the list of today’s most used web servers, with more than 120,000 servers currently exposed online to attacks.

The good news is that not all run the latest version, and administrators can easily mitigate the zero-day attacks by skipping the 2.4.49 version and upgrading to 2.4.50 directly.

The post Apache fixes actively exploited web server zero-day appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2020-02-13

US says it can prove Huawei has backdoor access to mobile-phone networks arstechnica.com/tech-policy/2020/02/us-gave-allies-evidence-that-huawei-can-snoop-on-phone-networks-wsj-says/ “We have evidence that Huawei has the capability secretly to access sensitive and personal information in systems it maintains and sells around the world,” US National Security Adviser Robert O’Brien told the Journal.. The US kept the intelligence highly classified until late […]

Read More

[SecurityWeek] ICS Vendors Assess Impact of INFRA:HALT Vulnerabilities

All posts, Security Week

Several major industrial control system (ICS) vendors have issued security advisories in response to the discovery of the NicheStack vulnerabilities collectively tracked as INFRA:HALT. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[BleepingComputer] New Cobalt Strike bugs allow takedown of attackers’ servers

Security researchers have discovered Cobalt Strike denial of service (DoS) vulnerabilities that allow blocking beacon command-and-control (C2) communication channels and new deployments. […] Source: Read More (BleepingComputer)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.