Security Experts:

Apache Releases Another Patch for Actively Exploited HTTP Server Zero-Day

The Apache HTTP Server Project on Thursday announced the release of another update in response to a recently discovered zero-day vulnerability after determining that the initial fix was incomplete.

The vulnerability, tracked as CVE-2021-41773, can be exploited for path traversal and remote code execution. The flaw impacts Apache HTTP Server 2.4.49 and it has been exploited in attacks, so it’s important that organizations install the patches as soon as possible.

Apache HTTP Server 2.4.50 was initially released to patch CVE-2021-41773, but the fix was not sufficient. Another CVE identifier, CVE-2021-42013, has been assigned, and HTTP Server 2.4.51 was released on Thursday in an attempt to deliver a more complete patch.

“An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives,” the developers explained in a new advisory. “If files outside of these directories are not protected by the usual default configuration ‘require all denied’, these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.”

When the security hole came to light, there were roughly 112,000 potentially vulnerable internet-exposed servers running the affected HTTP Server 2.4.49 version. At the time of writing, that number has dropped to roughly 98,000, with a majority of servers located in North America and Western Europe. The number of servers running version 2.4.50 is currently at 12,000, and only roughly 1,600 have been updated to version 2.4.51, according to data from Shodan.

Proof-of-concept (PoC) exploit code was made public shortly after disclosure, and threat intelligence companies have been seeing attempts to exploit the flaw, as well as internet scans looking for vulnerable systems.

“Since this is primarily a path traversal bug, the majority of the exploitation we see is focused on two specific paths: /etc/ passwd and /bin/ sh. These would make sense, as attackers are going to try and leverage this for access by accessing credentials or obtaining direct access to a shell,” Cisco’s Talos unit explained.

“There appear to be several different groups of actors exploiting this vulnerability,” Talos added. “Some are just scanners that appear to be scanning for potentially vulnerable hosts. Others appear to be iterating through a large list of domains with varying generic HTTP scanning leveraging this vulnerability. And there's another group operating at a much lower volume that are keenly interested in this specific vulnerability.”

It’s unclear exactly when the attacks started. The vulnerability had already been targeted in the wild when version 2.4.50 was released on October 4. Threat intelligence company GreyNoise reported seeing the first scans for CVE-2021-41773 on October 3, at which point a patch had already been committed to the HTTP Server source code — the patch was committed on September 29.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday urged organizations to immediately patch their installations, warning them not to wait until after the holiday weekend.

“CISA is also seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation,” the agency said. 

Related: Hackers Scanning for Apache Tomcat Servers Vulnerable to Ghostcat Attacks

Related: Critical Apache Struts Vulnerability Exploited in Live Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.