Get in Touch
Apache 2.4.49 Being Exploited in the Wild
Overview
Apache has released a fix for a path traversal vulnerability (CVE-2021-41773) in their web server.
Their advisory describes it as a “file disclosure” issue but the exploitability of this bug actually depends on the server configuration.
With default settings, an attacker could use it to read files stored outside of the usual hosted directory.
If mod-cgi is enabled it can be used to execute binaries on the server.
Proof of Concept code is already being shared on Twitter.
Impact
By default, the bug would allow a remote attacker to read files from the server outside of the hosted directory.
This could be used to leak sensitive information such as credentials, environmental info or source code for the website.
If mod-cgi is enabled then a remote attacker could execute code on the server.
Vulnerability Detection
The running version of Apache is sent in an HTTP header by default so this can be detected remotely by looking at an HTTP request.
`curl –head yourwebsite.com`
Affected Products
Apache HTTP Server 2.4.49
Containment, Mitigations & Remediations
Update Apache.
Indicators of Compromise
Exploitation attempts will be recorded in the web request logs.
Check for the string `/%2e%2e/`
Threat Landscape
At the time of writing, (Shodan shows) 100,000 vulnerable machines connected to the Internet.
Mitre Methodologies
-T1190 – Exploit Public-Facing Application