Overview
The Apache Software Foundation has announced a new update to patch 2 new vulnerabilities that exist in the Apache HTTP Server. One of the patched flaws is a zero-day path traversal vulnerability (CVE-2021-41773) that is known to be exploited in the wild.
Description
The first vulnerability with the CVE identifier CVE-2021-41773 is a path traversal flaw that exists in Apache HTTP Server 2.4.49. Due to the vulnerability, an attacker could conduct a path traversal attack that maps URLs to files outside the expected document root, unless the document root is protected by “require all denied”. The vulnerability could also allow attackers to leak the source of interpreted files like CGI scripts.
Note that this vulnerability was introduced in version 2.4.49, i.e., earlier versions are not affected from it. This vulnerability needs to be patched immediately as it is known to be exploited in the wild.
The second vulnerability with the CVE identifier CVE-2021-41524 is a less critical null pointer dereference issue that affects only Apache HTTP Server 2.4.49. Due to the vulnerability, an adversary could conduct Denial of Service (DoS) attacks on the web server via specially crafted requests. Apache Project notes that there is currently no known exploit for the vulnerability.
Proof of Concept (PoC) Exploit
A PoC exploit of the CVE-2021-41773 that runs the id command on a Linux server is as follows:
$ curl 'http://ip-address:port/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; id'
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Impact
An attacker who successfully exploits the CVE-2021-41773 by mapping URLs to files outside the expected document root, can read arbitrary files from the web server.
Impact Summary CVE-2021-41773
Category: Path Traversal
CVSS 3.1 Base Score: 7.5 High
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
An attacker who successfully exploits the CVE-2021-41524 by crafting special requests can cause DoS issues at the web server.
Impact Summary CVE-2021-41524
Category: Null Pointer Dereference
CVSS 3.1 Base Score: 7.5 High
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Solution (Update)
To defend against possible attacks due to these vulnerabilities, Apache HTTP Server version 2.4.50 was released. However, the fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
If debugging is the process of removing software bugs, then programming must be the process of putting them in.
Edsger Dijkstra
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- Apache Security (HTTP Server 2.4 Vulnerabilities)
- NVD (CVE-2021-41773)
- NVD (CVE-2021-41524)
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
){kind=link}