Category | Vulnerability Intelligence |
Vulnerability Class | Path Traversal, File Disclosure |
CVE ID | CVE-2021-41773 |
CVSS:3.0 Score | N/A |
TLP# | GREEN |
Reference | *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol |
Executive Summary
- CloudSEK’s Threat Intelligence team discovered a post, on a cybercrime forum, describing the newly identified path traversal and file disclosure vulnerability, CVE-2021-41773, in Apache HTTP Server.
- The Apache HTTP Server Project is an open-source HTTP server for operating systems including UNIX and Windows.
- This vulnerability is being actively exploited in the wild and has affected only version 2.4.49 of the server.
- Apache recently released an advisory[-1-] about the same, along with a patch in version 2.4.50 of the Server.
- Threat actors can exploit this vulnerability to poison server logs to carry out remote code execution and/ or exfiltrate sensitive data.
- A new group of Chinese hackers are targeting high ranking officials in Southeast Asia by exploiting vulnerabilities in Apache, Oracle, MS Exchange, etc.
A threat actor’s post describing CVE-2021-41773 on a cybercrime forum[/caption]Analysis
- Apache HTTP Server is one of the most widely used server software around the world. The vulnerability tracked as CVE-2021-41773 is a path traversal and file disclosure vulnerability in Apache HTTP Server which is being exploited in the wild, as a zero-day.
- This active exploitation necessitated the release of an expedited patch by Apache, on 05 October 2021.
- According to the advisory issued by Apache, “An attacker could use a path traversal attack to map URLs to files outside the expected document root.”
- This problem arises from a flaw in how the Apache server converts between multiple URL path schemes, often known as path normalization. Normalizing a path is the process where the coder modifies the string that identifies a path or a file, so that it conforms to a valid path on the target operating system.
- Successful exploitation of this vulnerability would give a remote attacker access to arbitrary files outside of the document root on the vulnerable web server.
- According to the advisory, this flaw could also leak “the source of interpreted files like CGI scripts” which may contain sensitive information that attackers can exploit for further attacks.
Information from Open source
According to a Shodan search, at the time this report was created, there were 112,756 vulnerable versions of the Apache HTTP Server active on the internet.
Impact & Mitigation
| Impact | Mitigation |
|
|
References
[-1-] - Advisory issued by Apache for the vulnerabilities in Apache HTTP Server version 2.4