Back in the 1990s National Center for Supercomputing Applications’ httpd server was the most popular of the early web servers. It needed a lot of patches though to be truly effective. So it was that Brian Behlendorf and Cliff Skolnick put together a mailing list to develop a new server based on the original httpd server and they called it Apache. It quickly became wildly popular.
Today, it’s a toss-up between Apache and NGINX as to which is the most widely used web server. And, of course, with popularity comes attacks. The latest, a path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49, is a nasty one.
Of course, any time you see a path traversal security hole in a web server you know you’re in trouble. It enables an attacker to access files and directories stored outside the webroot folder. By playing games with variables that reference files with “dot-dot-slash (../)” sequences and variations or by using absolute file paths, a cracker can access arbitrary files and directories. That can include application source code or configuration and critical system files.
Can you say bad news? Of course, you can.
What makes this especially painful is that the first fix for CVE-2021-41773, rolled out in Apache HTTP Server 2.4.50, wasn’t good enough. It’s always something!
It turns out an attacker could still use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories were not protected by the usual default configuration “require all denied,” these requests can succeed. If CGI scripts are also enabled for these aliased paths, these could be used for remote code execution.
The good news is that this issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. In addition According to the internet server and device search engine Shodan, only a few Apache installations are actually running 2.4.49 or 2.4.50. It appears less than 1% of the overall Apache install base is vulnerable.
Mind you using Netcraft’s Web server count, that could still be not quite 3-million servers. That’s a lot of servers potentially open to attack. You should also keep in mind that all your containerized Apache servers you’re automatically spinning up as needed may also be vulnerable.
This is not, by the way, some theoretical attack. Cisco is reporting attacks. Most of these assaults are trying for system access by accessing credentials or getting direct access to a shell. Mostly, these knocking on servers’ doors are being done with cURL as the user agent, but Cisco’s Talos team has seen other activity using other common user agents.
That done, you’re safe… until the next attack comes down the road.