Security news that informs and inspires

Apache Fixes Web Server Path Traversal Flaw Under Active Attack

UPDATE--A few days after releasing a fix for a vulnerability in Apache HTTP Server 2.4.49 that is under active attack, the Apache Software Foundation released another version of the server because the fix for the flaw was incomplete and still allowed remote code execution in some cases.

"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution," the ASF said in an advisory Thursday.

The latest version is 2.4.51 and contains the updated fix for the original vulnerability. The newer bug associated with the incomplete patch is CVE-2021-42013. The original vulnerability was exploited in the wild before the fix was released, but there is not yet any information about attacks on the newer bug.

The flaw (CVE-2021-41773) is a path traversal and file disclosure bug that allows an attacker to map specific URLs to files that are located outside of the expected document root. Researchers have also discovered that it can lead to remote code execution in some circumstances. If the mod-cgi module is enabled on a vulnerable version of the HTTP Server, an attacker can run arbitrary code.

“An attacker can call any binary on the system and supply environment variables (that's how CGI works!) - if they can upload a file and set +x permissions, they can trivially run commands as Apache user,” security researcher Matthew Hickey said on Twitter Tuesday.

“There is no need to upload a file on Linux/UNIX type environments and mess with file permissions (although that would work too) - you can exploit this with a simple POST request and run full commands + arguments by passing commands as env vars to /bin/sh.”

GreyNoise, which monitors scanning traffic on the Internet, said large-scale scanning for this vulnerability began late on Tuesday.

The vulnerability only affects the one version of the web server, and the foundation released version 2.5.50 on Monday to address it. The bug was reported to the Apacke security team late last week, and the fix was released just a few days later. But attackers already were exploiting the bug before the fixed version was out, so updating any server that is running Apache 2.4.49 is vital.

“A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by ‘require all denied’ these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild,” the Apache advisory says.