This past Monday, October 4th, Apache disclosed a vulnerability introduced on Apache HTTP Server 2.4.49 known as CVE-2021-41773. At the same time, update 2.4.50 was released, fixing this vulnerability. The vulnerability allows an attacker to bypass Path traversal protections, using encoding, and read arbitrary files on the webserver’s file system. Both Linux and Windows servers running this version of Apache are affected.
This vulnerability was introduced on 2.4.49, on a patch that aimed to improve performance in the validation of the URL. The new validation method could be bypassed by encoding the ‘.’ character. If the Apache webserver configuration is not set to “Require all denied”, the exploitation is relatively trivial. By encoding these characters and modifying an URL with the payload, a classic path traversal is possible.
Due to the simple exploitation of this vulnerability there are already several public Proof of Concept scripts available on the internet. A simple demo can also be made using curl, as the attacker needs only to go back through enough directories to access the root of the server with a slight modification that disrupts the normalization of the URL.
It is also possible to perform Remote Code Execution if mod_cgi is enabled by using a URL prefixed by /cgi-bin/, which is a functionality not used in modern web technologies. However, many older web deployments still rely on it to function.
Exploitation in the wild and version popularity
It has been confirmed that this vulnerability has been exploited in the wild before the release of patch 2.4.50, making this vulnerability a 0day. Our research has detected that several users on dark web forums are already actively researching this vulnerability, trying to exploit it on public servers.
The first image shows an attacker describing how to exploit the vulnerability, along with advice on how to mitigate it. In the second image, a different attacker has successfully exploited the vulnerability to obtain a list of users on the machine and is requesting help leveraging it to gain a foothold on the machine:
1. Vulnerability advice by a user in an underground forum
2. Attacker requesting help in leveraging the vulnerability to gain a foothold
The vulnerable version was released on September 15th 2021, but luckily it had not yet been included in any major Linux distribution repositories (Ubuntu, for example, is still at 2.4.41). According to Shodan, 112,000 active deployments of the affected version are on the public internet, compared to the 1,719,000 total active Apache installations.
3. Shodan findings for Apache servers running vulnerable version versus other versions
The recommended mitigation, in this case, is to update as soon as possible to version 2.4.50, already available for download on the Apache website. Blueliv does not recommend trying to mitigate the vulnerability by using access control because even if set correctly, an attacker could still exploit the vulnerability to obtain the source code of any CGI script.
After the writing of this post, it has been discovered that 2.4.50 does not fully remediate the path traversal attack as was stated in the patch notes, as it can still be exploited using double encoding. Apache has released a new version, 2.4.51 which according to Apache it now fully remediates this issue. It is recommended to update to this last version or use a previous version which has been thoroughly tested, such as the ones found in the repositories of main linux distributions