Apache HTTP Server CVE-2021-41773 Exploited in the Wild

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2021/10/06/apache-http-server-cve-2021-41773-exploited-in-the-wild/

Apache HTTP Server CVE-2021-41773 Exploited in the Wild

On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 (and only in 2.4.49). The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild.

While the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both Rapid7 and community researchers have verified that the vulnerability can be used for remote code execution when mod_cgi is enabled. While mod_cgi is not enabled in the default Apache Server HTTP configuration, it’s also not an uncommon feature to enable. With mod_cgi enabled, an attacker can execute arbitrary programs via HTTP POST requests. The initial RCE proof of concept resulted in blind command execution, and there have been multiple proofs of concept that coerce the HTTP server into sending the program’s output back to the attacker. Rapid7’s research team has a full root cause analysis of CVE-2021-41773 here along with proofs of concept.

Trending
Приспивен двубой. Липсващите теми в дебата между Васил Терзиев и Антон Хекимян

Rapid7 Labs has identified roughly 65,000 potentially vulnerable versions of Apache httpd exposed to the public internet. Our exposure estimate intentionally does not count multiple Apache servers on the same IP as different instances (this would substantially increase the number of exposed instances identified as vulnerable).

Apache HTTP Server CVE-2021-41773 Exploited in the Wild

Mitigation guidance

Organizations that are using Apache HTTP Server 2.4.49 should determine whether they are using vulnerable configurations. If a vulnerable server is discovered, the server’s configuration file should be updated to include the filesystem directory directive with require all denied:

<Directory />
    Require all denied
</Directory>

Apache HTTP Server users should update to 2.4.50 or later as soon as is practical. For more information, see Apache’s advisory here.

Rapid7 customers

A remote vulnerability check is scheduled to be released to InsightVM and Nexpose customers in today’s (October 6, 2021) content update.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.