These vulnerabilities are currently being exploited in the wild. As of October 21st, there are nearly 48,000 web-exposed servers with these vulnerabilities.
Affected Software / System
Apache HTTP Server version 2.4.49 and 2.4.50.
CVE (if applicable)
- CVE-2021-41773 & CVE-2021-42013
Type
Path traversal vulnerability with remote code execution is possible for both CVEs.
Exploit Status:
These vulnerabilities are currently being exploited in the wild. As of October 21st, there are nearly 48,000 web-exposed servers with these vulnerabilities.
Rating
CVE-2021-41773: “High” severity with a CVSS 3.0 rating of 7.5.
CVE-2021-42013: “Critical” severity with a CVSS 3.0 rating of 9.8.
Vulnerability Summary
CVE-2021-41773 is a vulnerability that enables actors to map URLs to files outside the expected document root by launching a path traversal attack. Attacks that exploit this vulnerability could potentially access files containing sensitive information. Additionally, there are reports of researchers who were able to leverage this vulnerability to execute remote code on the server.
CVE-2021-42013 is the result of Apache HTTP Server 2.4.50 being ineffective in fixing the vulnerability identified in version 2.4.49. This vulnerability is also the result of a path traversal vulnerability with remote code execution possible. This vulnerability affects 2.4.49 and 2.4.50.
Impact
Path traversal attacks involve sending requests to access backend or sensitive server directories that should be out of reach. Normally, these requests are blocked, but in this case, the filters are bypassed by using encoded characters. The vulnerabilities have been fixed in the most recent version of Apache (2.4.51).
Mitigation
Apache has provided an update to address these issues (version 2.4.51).
Ingalls recommends the following actions:
Organizations that currently use Apache HTTP Server Version 2.4.49 or 2.4.50 should upgrade to version 2.4.51 as soon as possible.
Subscribe to NetSec News
Cyrus Robinson
