Apache Fixes Zero-Day Flaw Exploited in the WildShodan Search Shows 112,000 HTTP Servers Running Vulnerable Version
Apache, a popular open-source web server software for Unix and Windows, says it has fixed a zero-day vulnerability in its HTTP server. The vulnerability, it says, has been exploited in the wild.
Tracked as CVE-2021-41773, the path traversal and file disclosure vulnerability only affects Apache HTTP servers upgraded to version 2.4.49, which was released on Sept.16, according to the company's HTTP Server 2.4 vulnerability update log.
Describing the vulnerability, Apache says: "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root." It adds, "If files outside of the document root are not protected by 'require all denied,' these requests can succeed."
Apache confirms that this flaw can also leak the source of interpreted files, such as CGI scripts.
The company has credited the finding of this vulnerability to Ash Daulton and cPanel's security team, who reported the flaws to Apache's security team on Sept. 29. The flaw was fixed in two days with a patched version publicly published in a release on Monday.
In an alert issued Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency said it encourages users and administrators to review Apache’s corresponding vulnerabilities page and apply the necessary update.
Large Numbers Still Unpatched
A search queried on the Shodan search engine by Information Security Media Group shows that more than 112,000 Apache HTTP servers facing the internet are still running the vulnerable version 2.4.49. Of these, more than 43,000 - or 40% of all detected servers - are located in the U.S., followed by 12,622 in Germany and 9,925 in Canada.
On Tuesday, a member of the cPanel security forum raised concerns over this vulnerability disclosure and said that the vulnerable version is the "standard version" that is used on cPanel servers.
"Running a yum update [a command that updates all the presently installed packages to their latest versions available in the repositories] on servers does not update [the respective server]. Any idea when this will be incorporated by cPanel?" asked the member.
cPanel said it would release an update on Wednesday, which would take care of the vulnerability issue. A cPanel staff member, responding to queries on the forum, says, "If your server receives automatic updates there is nothing else you need to do on your end."
Apache has also fixed another vulnerability, tracked as CVE-2021-41524, in its latest software version. It is a new null pointer dereference, which was detected during HTTP/2 request processing while fuzzing the 2.4.49 https, says Apache. The company does not reference it as a high-risk flaw because it says it has not find found any instances of the flaw being exploited in the wild.
Proof of Concept
As many Apache HTTP servers continue to run the vulnerable version of the software, with proof of it being exploited in the wild, neither the company nor security researchers have disclosed the proof of concept of the CVE-2021-41773 vulnerability.
But researchers from Positive Technologies Offensive Team - aka PT Swarm - have tweeted that they have reproduced the CVE-2021-41773 Path Traversal vulnerability in Apache 2.4.49 version.
We have reproduced the fresh CVE-2021-41773 Path Traversal vulnerability in Apache 2.4.49.— PT SWARM (@ptswarm) October 5, 2021
If files outside of the document root are not protected by "require all denied" these requests can succeed.
Patch ASAP! https://t.co/6JrbayDbqG pic.twitter.com/AnsaJszPTE
Positive Technologies did not respond to ISMG's request for comment on its proof-of-concept finding.
This is the second time in two days that Apache has been in the news for security concerns. On Tuesday, researchers at cybersecurity firm Intezer uncovered a number of unprotected instances in workflow platform Apache Airflow that they say have exposed sensitive information belonging to several companies (see: Apache Airflow Leak Exposes 'Thousands' of Credentials).