Overview
The Apache Software Foundation has announced yet another security update to patch a critical Remote Code Execution (RCE) vulnerability that exists in the Apache HTTP Server. It turns out that the previous update version 2.4.5 was insufficient to remediate the zero-day path traversal vulnerability (CVE-2021-41773) that was known to be exploited in the wild.
Description
On October 4, 2021, the Apache Software Foundation released Apache HTTP Server version 2.4.5 to address 2 new vulnerabilities in its Apache HTTP Server product.
One of the patched flaws was a zero-day path traversal vulnerability (CVE-2021-41773) that was known to be exploited in the wild. And the second vulnerability (CVE-2021-4152) was a null pointer dereference issue that would allow adversaries to conduct Denial of Service (DoS) attacks on the web server via specially crafted requests.
After this initial update, researchers have found out that the fix for the path traversal vulnerability (CVE-2021-41773) was insufficient as the ramifications of the vulnerability was not limited to arbitrary file reads.
It was discovered that, adversaries could also conduct Remote Code Execution (RCE) attacks if the Apache HTTP Server was configured in a certain way. To describe in more detail, an attacker could exploit the vulnerability to map URLs to files outside the directories configured by alias directives, unless the document root is protected by “require all denied”. It turns out that, if CGI scripts are also enabled for these aliased path, this could lead to RCE attacks.
To patch for the vulnerability, The Apache Software Foundation has issued a new version (2.4.51) on October 7, 2021 and defined the flaw with another CVE identifier, i.e., CVE-2021-42013. Note that this issue only affects Apache 2.4.49 and Apache 2.4.50 and not the earlier versions. Also note that CVE-2021-42013 is exploited in wild too, as confirmed by Cybersecurity & Infrastructure Security Agency (CISA).
Impact
An attacker who successfully exploits the CVE-2021-42013 via uploading specially crafted files on the Apache HTTP server could gain full administrative privileges on the server.
Impact Summary CVE-2021-42013
Category: Remote Code Execution
CVSS 3.1 Base Score: N/A
CVSS 3.1 Vector: N/A
Solution (Update)
To defend against possible attacks due to these vulnerabilities, Apache HTTP Server needs to be updated to the most stable version 2.4.51.
One single vulnerability all an attacker needs.
Window Snyder
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- Apache Security (HTTP Server 2.4 Vulnerabilities)
- NVD (CVE-2021-42013)
- NVD (CVE-2021-41773)
- NVD (CVE-2021-41524)
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
