Apache patches a 0-day vulnerability already exploited by hackers

Apache patches 0-day
Written by Emma Davis

The Apache Software Foundation has patched a dangerous 0-day vulnerability in its HTTP web server. It is reported that the problem is already being actively exploited by hackers.

Apache HTTP Server is an open source, cross-platform web server that is extremely popular for its versatility, reliability, and free software. Thus, any vulnerability in a product has widespread consequences.

The vulnerability has the identifier CVE-2021-41773 and affects only Apache web servers running version 2.4.49. Also, the vulnerable server must have the “require all denied” option disabled, but unfortunately this is the default configuration.

Traversal attacks involve sending requests to access internal or confidential server directories that must be out of reach. Usually these requests are blocked, but in this case the filters are bypassed by using encoded characters (ASCII) for the URLs.journalists of Bleeping Computer write.

The bug occurs because of the way Apache performs the conversion of various URL path schemes (a process called URI normalization). The experts explain that the vulnerability allows attackers to carry out a path traversal attack by matching URLs to files outside the expected document root. As a result, such an attack can lead to leakage of CGI scripts and more.

Also, the publication Bleeping Computer notes that a search with Shodan reveals over 100,000 installations of Apache HTTP Server 2.4.49 on the network, many of which may be vulnerable to a fresh bug.

Apache patches 0-day

Information security specialist Ash discovered attacks that are already abusing this error, together with the cPanel team, who reported the problem to the Apache developers.

A few hours after the release of version 2.4.50, a number of researchers were able to reproduce the vulnerability and have already published several experimental exploits on Twitter and GitHub.

We have reproduced the fresh CVE-2021-41773 Patch Traversal vulnerability in Apache 2.4.49. If files outside of the document root are not protected by “require all denied” these requests can succeed. Patch ASAP!.PT SWARM specialists write.

Let me remind you that we also reported that 0-day vulnerability in Microsoft MHTML is exploited to attack Office 365 users.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.