Apache Software has quickly issued a fix for a zero-day security bug in the Apache HTTP Server, which was first reported to the project last week. The vulnerability is under active exploitation in the wild, it said, and could allow attackers to access sensitive information.
According to a security advisory issued on Monday, the issue (CVE-2021-41773) could allow path traversal and subsequent file disclosure. Path traversal issues allow unauthorized people to access files on a web server, by tricking either the web server or the web application running on it into returning files that exist outside of the web root folder.
In this case, the issue affects only version 2.4.49 of Apache’s open-source web server, which offers cross-platform operability with all modern operating systems, including UNIX and Windows.
“A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49,” according to the advisory. “An attacker could use a path-traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by ‘require all denied,’ these requests can succeed.”
The bug could also expose the source of interpreted files like CGI scripts, the advisory added, which which may contain sensitive information that attackers can exploit for further attacks.
Researchers such as the offensive team at Positive Technologies quickly created proof-of-concept exploits verifying the attack path, so expect more attack avenues to be availably publicly soon:
🔥 We have reproduced the fresh CVE-2021-41773 Path Traversal vulnerability in Apache 2.4.49.
If files outside of the document root are not protected by “require all denied” these requests can succeed.
— PT SWARM (@ptswarm) October 5, 2021
Tenable noted that a Shodan search on Tuesday turned up about 112,000 Apache HTTP Servers that are confirmed to be running the vulnerable version, including 43,000 or so in the U.S.
“However, other vulnerable web servers might be configured to not display version information,” according to the firm’s blog.
Users can protect themselves by upgrading to version 2.4.50. It should be noted that “require all denied” (which denies access to all requests) is the default for protecting documents outside of the web root, researchers have reported – which mitigates the issue.
Apache credited Ash Daulton and the cPanel Security Team for reporting the bug.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.