Apache fixes web server path traversal fault under active attack
UPDATE–A few days after posting a fix for a vulnerability in Apache HTTP Server 2.4.49 which is under active attack, Apache Software Foundation released an alternate server version because the flaw patch was incomplete and still allowed remote code execution in some cases.
“The fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was found to be insufficient. An attacker could use a path traversal attack to map URLs to files outside of directories configured by directives from type Alias. If files outside of these directories are not protected by the usual default “required all denied” configuration, these requests may succeed. If CGI scripts are also enabled for these alias paths, it could allow l ‘remote code execution,’ ASF said in an opinion Thusday.
The latest version is 2.4.51 and contains the updated patch for the original vulnerability. The most recent bug associated with the incomplete fix is CVE-2021-42013. The original vulnerability was exploited in the wild before the patch was released, but there is no information yet on the attacks of the new bug.
The flaw (CVE-2021-41773) is a path traversal and file disclosure bug that allows an attacker to map specific URLs to files located outside the root of the expected document. Researchers have also found that it can lead to remote code execution under certain circumstances. If the mod-cgi module is activated on a vulnerable version of the HTTP server, an attacker can execute an arbitrary code.
“An attacker can call any binary on the system and supply environment variables (this is how CGI works!) – if he can download a file and set + x permissions, he can trivially execute commands as an Apache user “, security researcher Matthew Hickey said on twitter Tuesday.
“There’s no need to download a file on Linux / UNIX-like environments and play around with file permissions (although that would work too) – you can exploit this with a simple POST request and run full commands + arguments by passing commands as env vars to / bin / sh.
GreyNoise, which monitors crawl traffic on the Internet, said large-scale analysis for this vulnerability started late Tuesday.
The vulnerability affects only one version of the web server and the foundation released version 2.5.50 on Monday to address it. The bug was reported to the Apacke security team at the end of last week, and the fix was released a few days later. But attackers were already exploiting the bug before the patch was released, so it is vital to update any server running Apache 2.4.49.
“A flaw was found in a change to the normalization of paths in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside of the expected document root. If files outside of the document root are not ‘request all denied’ protection, these requests may be successful. In addition, this flaw could disclose the source of files interpreted as CGI scripts. This problem is known to be exploited in the wild, ”says the Apache advisory.