Two days before the Apache Software Foundation announced a fix for a path traversal vulnerability that was under active attack, researchers were already seeing malicious actors scanning for vulnerable servers.
The scanning activity began five days after the patch for CVE-2021-41773 was committed to the Apache HTTP Web Server source, but before the public announcement of the vulnerability on the Apache mailing list. Within a day of the release of the updated version of the web server, a working proof-of-concept exploit was available, and soon after, researchers discovered that the vulnerability could also lead to remote code execution in some circumstances.
“On October 3rd, 2021 at 08:44 UTC, GreyNoise observed the first scan for this vulnerability from 18.104.22.168. This predates the mailing list announcement from Apache on October 5th as well as the release of 2.4.50 on October 4th, but after the patch was committed on September 29th,” researchers at GreyNoise said in a post Thursday.
The IP address scanning for the Apache flaw is a known malicious one in Indonesia that has been seen scanning for a variety of vulnerabilities, including other Apache flaws, Citrix bugs, and Cisco vulnerabilities.
"CISA is also seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation."
Things ramped up even further on Thursday when Apache released another update because the original fix for the path traversal vulnerability was insufficient. That new update, version 2.4.51, addresses the remote code execution issue.
"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration ‘require all denied’, these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution," the ASF said in an advisory Thursday.
Since the announcement of the original update on Oct. 5, mass scanning activity has been ongoing a Internet scale, and that has continued since the release of the second update, as attackers look to take advantage of organizations that haven’t had time to deploy the fixed versions yet.
“These vulnerabilities have been exploited in the wild. CISA is also seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation,” the Cybersecurity and Infrastructure Security Agency said in an advisory Thursday.