Executive Summary

CVE-2021-41773 is a high-severity vulnerability affecting Apache HTTP Server 2.4.49. This flaw allows attackers to exploit a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. This issue is known to be exploited in the wild and only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, leading to CVE-2021-42013.

Technical Information

CVE-2021-41773 is a critical vulnerability identified in Apache HTTP Server 2.4.49. The vulnerability arises from a flaw in the path normalization process, which allows an attacker to perform a path traversal attack. This attack can map URLs to files outside the directories configured by Alias-like directives. If these files are not protected by the default configuration "require all denied", the attacker can access them. Furthermore, if CGI scripts are enabled for these aliased paths, it could lead to remote code execution.

The vulnerability is identified by the following details: - CVE ID: CVE-2021-41773 - Published Date: October 5, 2021 - Last Modified: July 26, 2024 - CVSS v3.1 Base Score: 7.5 (High) - Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

The vulnerability was introduced in a change made to the path normalization process in Apache HTTP Server 2.4.49. An attacker can exploit this flaw by sending specially crafted HTTP requests to the vulnerable server. These requests can map to files outside the intended directories, potentially leading to unauthorized access to sensitive files and remote code execution if CGI scripts are enabled.

Exploitation in the Wild

CVE-2021-41773 has been actively exploited in the wild. Attackers have been observed using this vulnerability to gain unauthorized access to sensitive files and execute arbitrary code on vulnerable systems. The exploitation typically involves sending specially crafted HTTP requests to the vulnerable server, which then maps the request to files outside the intended directories. Indicators of Compromise (IOCs) include unusual HTTP requests containing path traversal sequences (e.g.,

APT Groups using this vulnerability

While specific Advanced Persistent Threat (APT) groups exploiting this vulnerability have not been publicly identified, the nature of the vulnerability makes it a likely target for various threat actors seeking to gain unauthorized access to sensitive information or execute arbitrary code on vulnerable systems. Given the high-severity nature of CVE-2021-41773, it is crucial for organizations to remain vigilant and apply necessary patches and configuration changes to mitigate the risk.

Affected Product Versions

The vulnerability affects the following product versions: - Apache HTTP Server: Version 2.4.49

It is important to note that earlier versions of Apache HTTP Server are not affected by this vulnerability. However, the fix in Apache HTTP Server 2.4.50 was found to be incomplete, leading to CVE-2021-42013.

Workaround and Mitigation

To mitigate the risk posed by CVE-2021-41773, organizations should take the following steps: 1. Upgrade Apache HTTP Server: The most effective mitigation is to upgrade to Apache HTTP Server version 2.4.51 or later, where the vulnerability has been fully addressed. 2. Configuration Changes: Ensure that the default configuration "require all denied" is applied to all directories that should not be accessible. 3. Disable CGI Scripts: If not needed, disable CGI scripts to prevent potential remote code execution.

References

For further details and technical information, please refer to the following resources: 1. Juniper Networks Blog - Detailed analysis of the exploitation of CVE-2021-41773: https://blogs.juniper.net/en-us/threat-research/apache-http-server-cve-2021-42013-and-cve-2021-41773-exploited 2. Apache HTTP Server Security Vulnerabilities - Official Apache documentation on the vulnerability: https://httpd.apache.org/security/vulnerabilities_24.html 3. NVD - CVE-2021-41773 - National Vulnerability Database entry: https://nvd.nist.gov/vuln/detail/CVE-2021-41773 4. CISA Known Exploited Vulnerabilities Catalog - CISA's catalog of known exploited vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog 5. Packet Storm Security - Exploit details and proof of concept: http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal-Remote-Code-Execution.html 6. GitHub - Various POCs - Multiple repositories containing proof of concept code for CVE-2021-41773: https://github.com/search?q=CVE-2021-41773

Rescana is here for you

At Rescana, we understand the critical importance of safeguarding your digital assets against emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you identify, assess, and mitigate vulnerabilities like CVE-2021-41773. By leveraging our advanced threat intelligence and proactive security measures, we empower you to stay ahead of potential threats and ensure the resilience of your cybersecurity posture.

For any questions or further assistance regarding this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com. We are here to support you in navigating the complex landscape of cybersecurity threats and ensuring the protection of your valuable assets.