A vulnerability (CVE-2021-41773) was found in Apache HTTP Server 2.4.49 (affects no other versions) in which an attacker can use a path traversal attack to map URLs to files outside the expected document root. This flaw, which is being actively exploited in the wild and could potentially affect more than 100,000 public-exposed deployments, can also leak the source of interpreted files.
On Oct. 4, 2021, the httpd project released a patched version (2.4.50) to address the issue (which it rates as “important”).
This 15-minute Security Flash video with Casey Ellis (Founder, Chairman, and CTO of Bugcrowd) and Adam Foster (Application Security Engineer at Bugcrowd) dive deep on the subject, answering questions such as:
On Oct. 4, 2021, the httpd project released a patched version (2.4.50) to address the issue (which it rates as “important”).
This 15-minute Security Flash video with Casey Ellis (Founder, Chairman, and CTO of Bugcrowd) and Adam Foster (Application Security Engineer at Bugcrowd) dive deep on the subject, answering questions such as:
- What happened?
- How serious is the flaw and how is it exploited?
- What should you do to stay secure?
- How can Bugcrowd help?
- What additional resources are available?
Background
Summary
A Path Traversal vulnerability allows an attacker to view some local files in the web root, and on a non-default apache configuration, can access all files on the file system, this affects only version 2.4.49.
Full Description from Apache
- A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.
- If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.
- This issue is known to be exploited in the wild.
- This issue only affects Apache 2.4.49 and not earlier versions.
Timeline
- Patched version released : 2021-10-04
- CVE Published Date : 2021-10-05
- Proof of concept released on Twitter : 2021-10-05
- Escalated to Remote Code Execution : 2021-10-06
Discussion Topics
- This is no a world melting vulnerability, it affects 1 version between releases, but it does have a high impact as this was an official version
- Reported by Ash Daulton along with the cPanel Security Team to the Apache team
- Known to be actively exploited before the CVE was released
- Common open source scanners such as Nessus had templates available on the same day as the proof of concept was released publicly (Meaning lots of eyes and lots of people scanning the internet.)
- Escalation from Local File Inclusion to Remote Code execution complete after 1 day. (Cite Snyff dropping it on twitter https://twitter.com/snyff/status/1445565903161102344)
Remediations
- Public patches exist already, versions before and after 2.4.49 are not exploitable.
- Disabling the require all denied in the configuration of Apache will not prevent this from being exploited, but will prevent this from accessing anything not inside your web root.
- We highly recommend you upgrade your Apache version instead.
References:
- Official Apache Vulnerability Page:https://httpd.apache.org/security/vulnerabilities_24.html
- NIST CVE Page: https://nvd.nist.gov/vuln/detail/CVE-2021-41773
- Proof of Concept: https://twitter.com/lofi42/status/1445382059640434695
- Proof of Concept: https://twitter.com/ptswarm/status/1445376079548624899
- Remote Code Execution: https://twitter.com/snyff/status/1445565903161102344
Get Started with Bugcrowd
Every minute that goes by, your unknown vulnerabilities leave you more exposed to cyber attacks.