The Apache Software Foundation has patched two Apache HTTP Server vulnerabilities, including a path traversal bug tracked as CVE-2021-41773 that it said is being actively exploited in the wild.
The exploited bug (a path traversal vulnerability) was introduced in release 2.4.49 of the software just three weeks ago. Its abuse is clear reminder how fast attackers find and exploit bugs in software updates.
The open-source HTTP server is the second-most popular web server, used by 30.9% of all websites as of October 2021. A Shodan search suggests that there is well over 100,000 potentially vulnerable Apache HTTP Server 2.4.49 deployments online: users should update to 2.4.50.
The bug, reported by Ash Daulton along with security team at cPanel — a hosting automation provider — was found in a change made to path normalisation in Apache HTTP Server 2.4.49 (just weeks ago) Apache said, adding that “an attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. (Not having this on is the default setting in Apache HTTP Server.)
Security researcher Matthew Hickey said on Twitter: “CVE-2021-41773 is in fact also RCE providing mod-cgi is enabled. An attacker can call any binary on the system and supply environment variables (that’s how CGI works!) – if they can upload a file and set +x permissions, they can trivially run commands as Apache user.
As Ax Sharma notes for Sonatype: “The path traversal fix previously made in 2.4.49 did check for presence of path traversal characters (“../”) but was incomplete. It did not take into account the possibility of an attacker providing the percent-encoded versions of these characters. The new fix that went into the “httpd” server version 2.4.50 now checks for “%2E” and “%2e” which is the encoded representation of the dot (“.”).
Sharma adds: “Path Traversal flaws are not to be underestimated either. Despite repeated reminders and advisories issued by Fortinet, the years-old VPN firewall vulnerability (CVE-2018-13379) continues to be exploited even today, because many entities are behind on patching.”