Apache CVE-2021-41773 Scanning Tool Shared on Cybercrime Forum

Summary

CloudSEK’s Threat Intelligence team discovered a post, on a cybercrime forum, advertising a scanning tool for the path traversal and file disclosure vulnerability, CVE-2021-41773, in Apache HTTP Server.
Category Vulnerability Intelligence
Vulnerability Class CVE scanning tool
CVE ID CVE-2021-41773
CVSS:3.0 Score 7.5
CVSS Severity High
TLP# GREEN
Reference #https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

  • CloudSEK’s Threat Intelligence team discovered a post, on a cybercrime forum, advertising a scanning tool for the path traversal and file disclosure vulnerability, CVE-2021-41773, in Apache HTTP Server.
  • Apache HTTP Server is an open-source server for UNIX and Windows operating systems. 
  • The scanning tool assists threat actors in identifying vulnerable Apache servers.
  • Apache has released an advisory regarding the same, along with a patch in version 2.4.50.
  • Threat actors can exploit this vulnerability to poison server logs to carry out remote code execution and/ or exfiltrate sensitive data.
A threat actor’s post describing the scanning tool of CVE-2021-41773 on a cybercrime forum
A threat actor’s post describing the scanning tool of CVE-2021-41773 on a cybercrime forum
 

Analysis and Attribution

  • A threat actor posted an advertisement on a cybercrime forum, offering a scanning tool that helps speed up the process of finding Apache servers vulnerable to CVE-2021-42773.
  • Apache HTTP Server is one of the most widely used server software around the world. The vulnerability, tracked as CVE-2021-41773, is a path traversal and file disclosure vulnerability in Apache HTTP Server which is being exploited in the wild, as a zero-day.
  • The scanning tool shared by the threat actor is coded in Python programming language. The package's scripting file is dependent on a separate file that specifies the domain to be scanned, and it eventually informs the user whether the server is vulnerable or not.
  • By analyzing the script file shared by the threat actor, it is evident that its main function is to automate the process of finding vulnerable Apache servers for the vulnerability CVE-2021-41773.
 

The Threat Actor

  • The actor, who joined the forum in Dec 2019, has a medium reputation.
  • Most of their activities are related to sharing/ selling accesses to online shops.
  • Their previous posts and activities indicate that the actor is a coder whose preferred programming language is Python.
 

Source Rating

  • The actor is popular on the forum and has a high number of posts, and responses to other posts. 
  • The information shared by the actor seems reasonably logical and consistent. 
  • Most of the actor’s past activities have been related to access and are usually legitimate.
Hence,
  • The reliability of the actor can be rated Usually reliable (B).
  • The credibility of the advertisement can be rated Possibly true (3).
  • Giving overall source credibility of B3

Impact & Mitigation

Impact Mitigation
  • Attackers could use a path traversal attack to map URLs to files outside the expected document root and access sensitive files, passwords, etc.
  • This flaw could leak the source of interpreted files such as CGI scripts. 
  • This vulnerability could lead to an RCE (Remote code execution) attack by poisoning server logs.
  • RCE can lead to devastating attacks including, but not limited to, Ransomware campaigns. 
  • Immediately update Apache HTTP Server to the patched version 2.4.50.
 

References

  1. Advisory issued by Apache for the vulnerabilities in Apache HTTP Server version 2.4
  2. Link to CloudSEK’s Vulnerability Intelligence Report on Apache CVE-2021-42773
 

Table of Contents

Request an easy and customized demo for free