Cybersecurity Blog | Ingalls Information Security

Apache HTTP Server Vulnerabilities (CVE-2021-41773 & CVE-2021-42013)

Written by Cyrus Robinson | Oct 22, 2021 4:00:00 AM

These vulnerabilities are currently being exploited in the wild. As of October 21st, there are nearly 48,000 web-exposed servers with these vulnerabilities.


Affected Software / System

Apache HTTP Server version 2.4.49 and 2.4.50.


CVE (if applicable)

  • CVE-2021-41773 & CVE-2021-42013


Type

Path traversal vulnerability with remote code execution is possible for both CVEs.


Exploit Status: 

These vulnerabilities are currently being exploited in the wild. As of October 21st, there are nearly 48,000 web-exposed servers with these vulnerabilities.


Rating

CVE-2021-41773: “High” severity with a CVSS 3.0 rating of 7.5.
CVE-2021-42013: “Critical” severity with a CVSS 3.0 rating of 9.8.


Vulnerability Summary

CVE-2021-41773 is a vulnerability that enables actors to map URLs to files outside the expected document root by launching a path traversal attack. Attacks that exploit this vulnerability could potentially access files containing sensitive information. Additionally, there are reports of researchers who were able to leverage this vulnerability to execute remote code on the server.

CVE-2021-42013 is the result of Apache HTTP Server 2.4.50 being ineffective in fixing the vulnerability identified in version 2.4.49. This vulnerability is also the result of a path traversal vulnerability with remote code execution possible. This vulnerability affects 2.4.49 and 2.4.50.


Impact

Path traversal attacks involve sending requests to access backend or sensitive server directories that should be out of reach. Normally, these requests are blocked, but in this case, the filters are bypassed by using encoded characters. The vulnerabilities have been fixed in the most recent version of Apache (2.4.51).


Mitigation

Apache has provided an update to address these issues (version 2.4.51).


Ingalls recommends the following actions:

Organizations that currently use Apache HTTP Server Version 2.4.49 or 2.4.50 should upgrade to version 2.4.51 as soon as possible.
View full post