Apache fixes zero-day vulnerability exploited in the wild, patch now

guest · Oct 5, 2021

Apache fixes zero-day vulnerability exploited in the wild, patch now
October 5, 2021
https://www.bleepingcomputer.com/ne...ulnerability-exploited-in-the-wild-patch-now/

The Apache Software Foundation has released version 2.4.50 of the HTTP Web Server to address two vulnerabilities, one of which is an actively exploited path traversal and file disclosure flaw.

The Apache HTTP Server is an open-source, cross-platform web server that is extremely popular for being versatile, robust, and free.
Click to expand...

The actively exploited zero-day vulnerability is tracked as CVE-2021-41773 and it enables actors to map URLs to files outside the expected document root by launching a path traversal attack.

Additionally, exploits of this flaw may lead to the leaking of the source of interpreted files such as CGI scripts.
For the attack to work, the target has to run Apache HTTP Server 2.4.49, and also has to have the “require all denied” access control parameter disabled. Unfortunately, this appears to be the default configuration.
Click to expand...

A Shodan search revealed that there are over a hundred thousand Apache HTTP Server 2.4.49 deployments online, many of which could be vulnerable to exploitation, so updating your software as soon as possible should be considered exigent.

The vulnerability was discovered and reported to Apache by security researcher Ash Daulton and the cPanel Security Team on September 29, 2021. Being an actively exploited flaw, the fix for it came pretty quickly.
Click to expand...

The second vulnerability is CVE-2021-41524, a null pointer dereference detected during HTTP/2 request processing. This flaw allows an attacker to perform a denial of service (DoS) attack on the server.

This flaw too only exists in Apache Server version 2.4.49, but it’s not under active exploitation.
Click to expand...

guest · Oct 6, 2021

Actively exploited Apache 0-day also allows remote code execution
October 6, 2021
https://www.bleepingcomputer.com/ne...ache-0-day-also-allows-remote-code-execution/

Proof-of-Concept (PoC) exploits for the Apache web server zero-day surfaced on the internet revealing that the vulnerability is far more critical than originally disclosed.

These exploits show that the scope of the vulnerability transcends path traversal, allowing attackers remote code execution (RCE) abilities.
Click to expand...

The path traversal vulnerability in Apache's HTTP server, first reported by BleepingComputer, has actively been exploited in the wild before the Apache project was notified of the flaw in September, or had a chance to patch it.

But yesterday's disclosure of the Apache webserver path traversal flaw, tracked as CVE-2021-41773, was followed by PoC exploits swiftly surfacing on the internet.
Attackers can abuse Apache servers running version 2.4.49 not only to read arbitrary files but also to execute arbitrary code on the servers.
Click to expand...

CERT's vulnerability analyst Will Dormann and security researcher Tim Brown have also reported success with code execution on Windows machines.

While playing with the simple PoC on his Windows server, Dormann realized that accessing an EXE via the path traversal exploit in turn launched the binary on his server, as opposed to simply dumping the contents of the EXE.

"Was CVE-2021-41773 mis-scoped when it was published?" surmised Dormann, pointing to the note in Apache's original advisory that exploitation of the flaw would, at most, leak the source code of scripts—rather than running the scripts.
Click to expand...

guest · Oct 7, 2021

Apache Releases HTTP Server version 2.4.51 to Address Vulnerabilities Under Exploitation
October 7, 2021
https://us-cert.cisa.gov/ncas/curre...p-server-version-2451-address-vulnerabilities

On October 7, 2021, the Apache Software Foundation released Apache HTTP Server version 2.4.51 to address Path Traversal and Remote Code Execution vulnerabilities (CVE-2021-41773, CVE-2021-42013) in Apache HTTP Server 2.4.49 and 2.4.50. These vulnerabilities have been exploited in the wild.

CISA is also seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation. CISA urges organizations to patch immediately if they haven’t already—this cannot wait until after the holiday weekend.
Click to expand...

Log in or Sign up

Apache fixes zero-day vulnerability exploited in the wild, patch now

guest Guest

guest Guest

guest Guest

Log in or Sign up

Apache fixes zero-day vulnerability exploited in the wild, patch now

guest Guest

guest Guest

guest Guest

Useful Searches