Apache Web Server Zero-Day Exposes Sensitive Data

Apache Software program has promptly issued a take care of for a zero-working day security bug in the Apache HTTP Server, which was very first documented to the venture previous week. The vulnerability is beneath energetic exploitation in the wild, it explained, and could permit attackers to obtain delicate info.

In accordance to a security advisory issued on Monday, the issue (CVE-2021-41773) could make it possible for path traversal and subsequent file disclosure. Path traversal issues let unauthorized individuals to entry information on a web server, by tricking both the web server or the web application running on it into returning files that exist outdoors of the web root folder.

In this circumstance, the issue has an effect on only variation 2.4.49 of Apache’s open up-resource web server, which offers cross-platform operability with all contemporary functioning systems, including UNIX and Windows.

“A flaw was discovered in a adjust made to path normalization in Apache HTTP Server 2.4.49,” according to the advisory. “An attacker could use a path-traversal attack to map URLs to documents outside the expected doc root. If information outdoors of the doc root are not guarded by ‘require all denied,’ these requests can be successful.”

The bug could also expose the supply of interpreted information like CGI scripts, the advisory additional, which which may perhaps contain sensitive info that attackers can exploit for more attacks.

Scientists such as the offensive workforce at Favourable Systems quickly developed evidence-of-strategy exploits verifying the attack route, so assume additional attack avenues to be availably publicly soon:

🔥 We have reproduced the contemporary CVE-2021-41773 Route Traversal vulnerability in Apache 2.4.49.

If documents exterior of the document root are not shielded by “need all denied” these requests can realize success.

Patch ASAP! https://t.co/6JrbayDbqG pic.twitter.com/AnsaJszPTE

— PT SWARM (@ptswarm) October 5, 2021

Tenable pointed out that a Shodan search on Tuesday turned up about 112,000 Apache HTTP Servers that are confirmed to be managing the susceptible model, which include 43,000 or so in the U.S.

“However, other susceptible web servers might be configured to not exhibit version details,” according to the firm’s blog.

Consumers can guard themselves by upgrading to version 2.4.50. It must be mentioned that “require all denied” (which denies access to all requests) is the default for protecting files outside of the web root, researchers have documented – which mitigates the issue.

Apache credited Ash Daulton and the cPanel Security Crew for reporting the bug.

Verify out our free upcoming reside and on-demand webinar activities – special, dynamic conversations with cybersecurity specialists and the Threatpost local community.