CVE-2021-41773: Apache HTTP Server v2.4.49 Path Traversal and File Disclosure leads to RCE
The Apache HTTP server is one of the most common HTTP server frameworks on the internet. Yesterday (October 5th 2021), Apache released a security patch that fixes a critical vulnerability in their project – CVE-2021-41773. This vulnerability was disclosed by Ash Daulton and the CPanel security team on September 29 – not long after Apache had released an update to their HTTP server project.
In this blog post we will introduce the recent CVE-2021-41773 and how to get it fixed. Spoiler alert: version upgrade.
What is the CVE-2021-41773 vulnerability?
This is a path traversal vulnerability which allows a malicious unauthenticated attacker to access private data and sensitive system files by using a special crafted payload. It was also found that by utilizing this vulnerability an attacker can also run commands on the server and fully compromise it.
This vulnerability was introduced to the Apache HTTP server project on September 15th 2021 by a change that was made to the path normalization.
Does it affect me?
If you have an Apache server running version 2.4.49 (Only this specific version) you are most likely affected and we suggest remediating it immediately.
You can also check if you are affected by running the following one-liner script:
(Change <host> with your suspected hostname)
curl --silent --path-as-is --insecure "http://<host>/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" | grep -q "root.*" && echo "Host is vulnerable" || echo "Host is Not vulnerable"
Has CVE-2021-41773 been actively exploited in the wild?
Yes. Full exploits for this vulnerability are already available online, and we have noticed quite a few real world exploitations of it.
How do I remediate CVE-2021-41773?
In order to remediate this vulnerability we suggest you upgrade Apache to the latest version 2.4.50. Check Vulcan Cyber Remedy Cloud fixes for CVE-2021-41773 for more remediation actions. By the way — the fact that the vulnerability was introduced in version 2.4.49 and got fixed in version 2.4.50 means probably most customers didn’t even get the chance to upgrade to this vulnerable version.
You can also find available workarounds for any CVE in the Vulcan Remedy Cloud, the vulnerability-fix directory – for free.