Apache released additional fixes for CVE-2021-41773 on Thursday as government agencies like CISA warned that one vulnerability related to the Apache HTTP Server issue had been exploited in the wild.
As ZDNet reported on Wednesday, developers behind the Apache HTTP Server Project urged users to apply a fix immediately to resolve a zero-day vulnerability.
The Apache Software Foundation released Apache HTTP Server version 2.4.50 to address two vulnerabilities that would allow an attacker to take control of an affected system. In a notice on Wednesday, CISA said one of the vulnerabilities, CVE-2021-41773, has already been exploited in the wild.
“It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution,” Apache said in a notice.
“This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.”
CISA said that “active scanning of Apache HTTP Server CVE-2021-41773 & CVE-2021-42013 is ongoing and expected to accelerate, likely leading to exploitation.”
“These vulnerabilities have been exploited in the wild. Please patch immediately if you haven’t already — this cannot wait until after the weekend,” the government agency added.
According to Bleeping Computer, about 25% of websites worldwide are backed by the open-source, cross-platform Apache HTTP Server.
Sonatype researchers said that approximately 112,000 Apache servers are running the vulnerable version, with roughly 40% located in the United States. Rapid7 Labs said it identified about 65,000 potentially vulnerable versions of Apache httpd exposed to the public internet on Wednesday.
Researchers say the issue is actively being scanned for in the wild.
“The vulnerability itself is not exploitable in normal or default conditions. The biggest impact this issue will have will be on applications that have packaged Apache 2.4.49 and a configuration that enables the vulnerability. One such application is Control Webpanel (also known as CentOS Webpanel), which is used by hosting providers to administer websites, similar to cPanel,” said Derek Abdine, CTO at Censys.
“There are currently just over 21,000 of these that are Internet-facing and appear vulnerable.”
Censys senior security researcher Mark Ellzey added that he expects there to be some fallout for this but that it may not be widespread. Compared to recent vulnerabilities related to Confluence or VMware, he said the urgency and effectiveness of exploits for this issue don’t rise to a similar level.
“Anything outside of the bad config is probably going to be a targeted attack on specific applications. I’d wager that we might see some code leaks,” Ellzey said.
The vulnerabilities were first discovered by Ash Daulton of the cPanel security team and the latest issues were found by Shungo Kumasaka, Dreamlab Technologies’ Juan Escobar and NULL Life CTF’s Fernando Muñoz. Exploits were quickly created and released once the vulnerability was publicized.