SUBJECT: CVE-2021-41773 Apache HTTP Server Path Traversal Vulnerability
TECH STACK: Apache HTTP Server versions 2.4.1 to 2.4.46.
DATE(S) ISSUED: 10/05/2021
CRITICALITY: HIGH
OVERVIEW:
CVE-2021-41773 is a vulnerability in the Apache HTTP Server that allows an attacker to send a malicious request that includes a path traversal string, potentially allowing the attacker to access files on the server outside of the intended directory. This is known as a path traversal vulnerability.
An attacker could exploit this vulnerability by sending a request to the server with a maliciously crafted path traversal string. If the server is configured to allow requests to access files outside of the intended directory, the attacker may be able to access sensitive files on the server.
The vulnerability exists in the Apache HTTP Server's mod_authz_core module, which is responsible for enforcing authorization rules for access to resources on the server. The vulnerability allows an attacker to bypass these rules and access restricted files.
Apache HTTP Server versions 2.4.1 to 2.4.46 are affected by this vulnerability.
NIST Description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
https://nvd.nist.gov/vuln/detail/CVE-2021-41773
THREAT INTELLIGENCE:
CISA has added CVE-2021-41773 to its Known Exploited Vulnerabilities Catalog, based
on evidence that threat actors are actively exploiting the vulnerability. This vulnerability is a frequent attack vector for malicious cyber actors of all types and poses significant risk to the federal enterprise.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
NIST: NVD
Base Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SOLUTION:
To fix the CVE-2021-41773 vulnerability in the Apache HTTP Server, you should upgrade to a fixed version of the software. The specific version you should upgrade to will depend on which version of the Apache HTTP Server you are currently using.
The following versions of the Apache HTTP Server include a fix for the vulnerability:
To upgrade to a fixed version of the Apache HTTP Server, you can download the latest version of the software from the Apache HTTP Server download page (http://httpd.apache.org/download.cgi). Once you have downloaded the software, follow the instructions provided in the installation guide to install the new version.
Alternatively, you may be able to upgrade to a fixed version of the Apache HTTP Server using your operating system's package manager. Consult the documentation for your operating system or package manager for more information on how to upgrade software packages.
It is important to note that upgrading to a fixed version of the Apache HTTP Server will not automatically fix the vulnerability on your system. You will also need to ensure that any third-party modules or customizations you have made to the Apache HTTP Server are compatible with the new version.
REFERENCES:
CISCO:20211007 Apache HTTP Server Vulnerabilities: October 2021
CONFIRM:https://security.netapp.com/advisory/ntap-20211029-0009/
URL:https://security.netapp.com/advisory/ntap-20211029-0009/
FEDORA:FEDORA-2021-2a10bc68a4
FEDORA:FEDORA-2021-aaf90ef84a
GENTOO:GLSA-202208-20
URL:https://security.gentoo.org/glsa/202208-20
MISC:http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal.html
URL:http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal.html
MISC:http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
URL:http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
MISC:https://httpd.apache.org/security/vulnerabilities_24.html
URL:https://httpd.apache.org/security/vulnerabilities_24.html
MISC:https://www.oracle.com/security-alerts/cpujan2022.html
URL:https://www.oracle.com/security-alerts/cpujan2022.html
MLIST:[announce] 20211005 CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
MLIST:[announce] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
MLIST:[httpd-cvs] 20211008 [httpd-site] branch main updated: * Align with CVE-2021-42013 based on the latest findings
MLIST:[httpd-users] 20211005 [users@httpd] CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
MLIST:[httpd-users] 20211007 [users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
MLIST:[oss-security] 20211005 CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
URL:http://www.openwall.com/lists/oss-security/2021/10/05/2
MLIST:[oss-security] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/07/6
MLIST:[oss-security] 20211007 RE: CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
URL:http://www.openwall.com/lists/oss-security/2021/10/07/1
MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/08/1
MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/08/2
MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/08/3
MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/08/4
MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/08/5
MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/08/6
MLIST:[oss-security] 20211009 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/09/1
MLIST:[oss-security] 20211011 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/11/4
MLIST:[oss-security] 20211015 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/15/3
MLIST:[oss-security] 20211016 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)