The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said it’s “seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation,” urging “organizations to patch their servers immediately if they haven’t already.”
CVE-2021-42013 is a new vulnerability being identified and building upon CVE-2021-41773, a flaw that impacts Apache web servers running version 2.4.49 and involves a path normalization bug that could enable an adversary to access and view arbitrary files stored on a vulnerable Apache server. The exploit is thought to be addressed in version 2.4.50 of Apache2. However, a day after the patches were released, it was proved that the weakness could be abused to gain remote code execution if the “mod_cgi” module was loaded. The configuration “require all denied” was absent, prompting Apache to issue emergency updates.
The fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was not adequate. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives,” the company noted in an advisory. “If files outside of these directories are not protected by the usual default configuration ‘require all denied,’ these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.”
The Apache Software Foundation credited Juan Escobar from Dreamlab Technologies, Fernando Muñoz from NULL Life CTF Team, and Shungo Kumasaka for reporting the vulnerability. In light of active exploitation, users should update to the latest version (2.4.51) to mitigate the risk associated with the flaw.
For our directions to upgrade apache2, check here.