[TheRecord] Apache fixes actively exploited web server zero-day

The Apache Software Foundation has released on Monday a security patch to address a vulnerability in its HTTP Web Server project that has been actively exploited in the wild.

Tracked as CVE-2021-41773, the vulnerability affects only Apache web servers running version 2.4.49 and occurs because of a bug in how the Apache server converts between different URL path schemes (a process called path or URI normalization).

“An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the ASF team said in the Apache HTTP Server 2.4.50 changelog.

“If files outside of the document root are not protected by ‘require all denied‘ these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts,” Apache engineers added.

Attacks exploiting this bug were spotted by Ash Daulton along with the cPanel Security Team, both of which reported the issue to the Apache team.

Hours after the 2.4.50 version was released, several security researchers were able to reproduce the vulnerability and release multiple proof-of-concept exploits on Twitter and GitHub.

This is fun CVE-2021-41773

https://HOST/xx/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd@ptswarm do you have a Test Server around for me? 😅https://t.co/NJJ8BNXTUK pic.twitter.com/WtHoICKcPN

— lofi (@lofi42) October 5, 2021

Just got worked exploit PoC for path traversal in Apache HTTP Server 2.4.49 (CVE-2021-41773) with my collab again @yabeow #bugbountytips 👀 pic.twitter.com/oGHtbWwKHT

— Nguyen The Duc (@ducnt_) October 5, 2021

🔥 We have reproduced the fresh CVE-2021-41773 Path Traversal vulnerability in Apache 2.4.49.

If files outside of the document root are not protected by “require all denied” these requests can succeed.

Patch ASAP! https://t.co/6JrbayDbqG pic.twitter.com/AnsaJszPTE

— PT SWARM (@ptswarm) October 5, 2021

Currently, the Apache HTTP Server is either #1 or #2 on the list of today’s most used web servers, with more than 120,000 servers currently exposed online to attacks.

The good news is that not all run the latest version, and administrators can easily mitigate the zero-day attacks by skipping the 2.4.49 version and upgrading to 2.4.50 directly.

The post Apache fixes actively exploited web server zero-day appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[TheRecord] Senate Armed Services advances DoD CIO nominee

The Senate Armed Services Committee on Wednesday advanced President Joe Biden’s nominee for Defense Department chief information officer. The panel approved John Sherman by voice vote during a hearing on Navy Adm. Chris Grady’s nomination to serve as the vice chairman of the Joint Chiefs of Staff. Sherman served as acting CIO for several months […]

Read More

[SecurityWeek] Collective Intelligence: Realities and Hardships of Crowdsourced Threat Intel

All posts, Security Week

Enterprise security teams need to move from the consumption of crowdsourced threat intelligence (CTI) to an additional mode of contribution read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ZDNet] Two teenagers charged in connection with investigation into hacking group, says City of London police

All posts, ZDNet

Two teenagers have been charged following an investigation by City of London police. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.