{"id":7492,"date":"2021-10-08T19:22:42","date_gmt":"2021-10-09T02:22:42","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7492"},"modified":"2023-04-05T12:37:43","modified_gmt":"2023-04-05T19:37:43","slug":"cve-2021-41773-cve-2021-42013-apache-web-servers-are-vulnerable-patch-now","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/cve-2021-41773-cve-2021-42013-apache-web-servers-are-vulnerable-patch-now\/","title":{"rendered":"CVE-2021-41773 & CVE-2021-42013: Apache Web Servers are Vulnerable, Patch Now!"},"content":{"rendered":"

On October 4, 2021, Apache announced<\/a> fixes for a couple of vulnerabilities, including a zero-day flaw that affects Apache HTTP Server version 2.4.49\u2014a widely used open-source, cross-platform web server for Unix and Windows. This actively exploited zero-day vulnerability is called CVE-2021-41773<\/a>, a Remote Code Execution bug that allows threat actors to map URLs to files outside the expected document root by launching a path traversal and file disclosure attack.<\/p>\n

 <\/p>\n

A day later, Apache discovered that their earlier patch for the actively exploited CVE-2021-41773 vulnerability was insufficient and published an upgraded version of 2.4.51. This new path traversal vector is being tracked as CVE-2021-42013<\/a>. CISA has also issued<\/a> an alert for these vulnerabilities, which are likely to be exploited in ongoing attacks. Taking the CISA alert into account, we highly recommend users to patch immediately.<\/p>\n

Proof-of-Concept: Exacerbating the Issue<\/h2>\n

 <\/p>\n

Recently, a security researcher posted a PoC exploit in public, quoting that this flaw could be used to execute remote code only when mod_cgi is enabled. Once enabled, an attacker can execute arbitrary programs via HTTP POST requests. A single, seemingly harmless HTTP request targeted at your server might be enough for an attacker to totally seize control of it.<\/p>\n

 <\/p>\n

Moreover, this vulnerability is already well known and easy to exploit, with Proof-of-Concept code circulating extensively on Twitter, making it extremely critical to patch immediately.<\/p>\n

 <\/p>\n

<\/p>\n

On October 5, 2021, just a day after the inadequate fix was released, a security analyst developed an Nmap script<\/a> to detect this path transversal vulnerability.<\/p>\n

 <\/p>\n

<\/p>\n

Nmap Script<\/strong><\/em><\/p>\n

 <\/p>\n

Possible Data Leakage<\/h2>\n

 <\/p>\n

Additionally, exploits of this issue may also result in the source leakage of interpreted files, such as CGI scripts. For successful exploitation, the target must be running Apache HTTP Server version 2.4.49 or 2.4.50, and the “Requires All Denied” access control setting must be disabled. However, this appears to be the default configuration. After the disclosure of the PoC, hackers have been able to reproduce the exploit code of the vulnerability.<\/p>\n

 <\/p>\n

About these Vulnerabilities<\/h2>\n

 <\/p>\n

Researchers at Cyber Security Works (CSW) analyzed both the high-impact vulnerabilities from a pentester\u2019s perspective. Here is our analysis:<\/p>\n

 <\/p>\n