Home / About / Threat Intelligence / Apache 2.4.49 Being Exploited in the Wild

Overview

Apache has released a fix for a path traversal vulnerability (CVE-2021-41773) in their web server.

Their advisory describes it as a “file disclosure” issue but the exploitability of this bug actually depends on the server configuration.

With default settings, an attacker could use it to read files stored outside of the usual hosted directory.
If mod-cgi is enabled it can be used to execute binaries on the server.

Proof of Concept code is already being shared on Twitter.

Impact

By default, the bug would allow a remote attacker to read files from the server outside of the hosted directory.

This could be used to leak sensitive information such as credentials, environmental info or source code for the website.

If mod-cgi is enabled then a remote attacker could execute code on the server.

Vulnerability Detection

The running version of Apache is sent in an HTTP header by default so this can be detected remotely by looking at an HTTP request.

`curl –head yourwebsite.com`

Affected Products

Apache HTTP Server 2.4.49

Containment, Mitigations & Remediations

Update Apache.

Indicators of Compromise

Exploitation attempts will be recorded in the web request logs.

Check for the string `/%2e%2e/`

Threat Landscape

At the time of writing, (Shodan shows) 100,000 vulnerable machines connected to the Internet.

Mitre Methodologies

-T1190 – Exploit Public-Facing Application

Further Information

Apache HTTP Server 2.4 vulnerabilities