Apache Web Server Path Traversal and File Disclosure Vulnerability (CVE-2021–41773)
What is the CVE-2021–41773 vulnerability?
Apache Software released the fix for a zero-day vulnerability in the Apache HTTP server affecting version 2.4.49 on 4thOctober 2021. The vulnerability was discovered by cPanel Security and is being actively exploited in the wild.
This flaw could allow path traversal and subsequent file disclosure. Path traversal issues allow unauthorized users to access files outside the expected document root on the web server. The issue could also expose the source of interpreted files like CGI scripts, the advisory added, which may contain sensitive information that attackers could use for further attacks.
This zero-day vulnerability is now known to be leading to remote code execution provided the mod-cgi is enabled on the server, as noted by Security Researcher Hacker Fantastic on Twitter.
What are the risks?
The Apache HTTP server is a popular open-source HTTP server for operating systems, including Windows and *nix, by Apache Software Foundation.
A Shodan search shows about 1,12,711 Apache HTTP servers that are running the vulnerable version. The vulnerability is applicable where the files outside of the document root are not protected by “require all denied”.
Multiple working exploits are already available in public, and no user authorization is required to exploit the vulnerability making the exploitation easy for a remote attacker.
Mitigation
The fix has been included in version 2.4.50 and released on 4th October 2021. We strongly advise customers to update their installations as soon as possible.
Restrict access to files outside the document root using “require all denied”.
Indusface Web Application Scanner (WAS) performs a scan on the server and identifies this vulnerability through a non-intrusive remote network test.
Indusface AppTrana/Total Application Security (TAS) platform protects against a web application and web server vulnerability exploitation, including this vulnerability.
Originally published at https://www.indusface.com on October 18, 2021.
