Zero-day vulnerability of 'Apache HTTP Server' is exposed, upgrade to the latest version is required to prevent attacks
'Apache HTTP Server ', which is widely used as open source Web server software. The vulnerability ' CVE-2021-41773 ' reported this time enables a path traversal attack to access files that are not originally seen, and the Apache Software Foundation is calling for an upgrade to the latest version. increase.
It has been disclosed that a new zero-day vulnerability exists in
Apache HTTP Server 2.4 vulnerabilities --The Apache HTTP Server Project
Apache fixes actively exploited zero-day vulnerability, patch now
Apache Servers Actively Exploited in the Wild, and the Importance of Prompt Patching
Apache fixes actively exploited web server zero-day --The Record by Recorded Future
On October 4, 2021, Apache reported a vulnerability 'CVE-2021-41773' that exists in Apache HTTP Server version '2.4.49'. The vulnerability is a flaw in a change made to path normalization logic that allows an attacker to use a path traversal attack to map a URL to a file outside the expected document root, Apache said. Says.
A path traversal attack is an attack method that uses a vulnerability to access a file that exists in a directory that is originally inaccessible. A malicious hacker can access a directory that is not intended by the web server operator by making a request that includes a path character such as '../' in the file name.
Apache HTTP Server version '2.4.49' has been modified to prevent path traversal attacks, but if the path characters in the URL are percent-encoded and rewritten to '% 2E' or '% 2e' There was a defect that could bypass the protection. By exploiting this flaw, hackers were able to make malicious requests to attack targets running version '2.4.49' and snoop on sensitive files.
Apache said, 'If files outside the document root are not protected by'require all denied', these requests may succeed. In addition, this flaw interpreted CGI scripts and the like. The source of the file may be leaked. '' This problem is known to be actually abused. 'It seems that cases of abuse have already been confirmed.
Security media Bleeping Computer asked Apache about this issue: 'Apache HTTP Server 2.4.49 was just released a few weeks ago, so many users may not have upgraded yet. Exploiting this issue. Whether it can be done and how it can be abused depends greatly on how the user configures the server. '
It seems that 'CVE-2021-41773' was reported on September 29, 2021, and Apache has already released a version '2.4.50' that fixes the vulnerability. Apache recommends that users of version '2.4.49' upgrade their version instead of changing their access control configuration to protect against vulnerabilities.
Download --The Apache HTTP Server Project
A few hours after version '2.4.50' was released, several security researchers were proof-of-concept of attacks using 'CVE-2021-41773' and called on relevant users to update immediately. I am.
This is fun CVE-2021-41773— Lofi (@ lofi42) October 5, 2021
https://HOST/xx/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd @ptswarm do you have a Test Server around for me ? ???? https://t.co/NJJ8BNXTUK pic.twitter.com/WtHoICKcPN
???? We have reproduced the fresh CVE-2021-41773 Path Traversal vulnerability in Apache 2.4.49.— PT SWARM (@ptswarm) October 5, 2021
If files outside of the document root are not protected by 'require all denied' these requests can succeed.
Patch ASAP! Https://t.co/6JrbayDbqG pic.twitter.com/AnsaJszPTE