Lucene search

K
thnThe Hacker NewsTHN:C6F6C1EB007027C65DE14DE5DA3E74BC
HistoryOct 05, 2021 - 2:53 p.m.

Apache Warns of Zero-Day Exploit in the Wild β€” Patch Your Web Servers Now!

2021-10-0514:53:00
The Hacker News
thehackernews.com
54

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Apache has issued patches to address two security vulnerabilities, including a path traversal and file disclosure flaw in its HTTP server that it said is being actively exploited in the wild.

β€œA flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the open-source project maintainers noted in an advisory published Tuesday.

β€œIf files outside of the document root are not protected by β€˜require all denied’ these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.”

The flaw, tracked as CVE-2021-41773, affects only Apache HTTP server version 2.4.49. Ash Daulton and cPanel Security Team have been credited with discovering and reporting the issue on September 29, 2021.

Source: PT SWARM

Also resolved by Apache is a null pointer dereference vulnerability observed during processing HTTP/2 requests (CVE-2021-41524), thus allowing an adversary to perform a denial-of-service (DoS) attack on the server. The non-profit corporation said the weakness was introduced in version 2.4.49.

Apache users are highly recommended to patch as soon as possible to contain the path traversal vulnerability and mitigate any risk associated with active exploitation of the flaw.

**Update:**Path Traversal Zero-Day in Apache Leads to RCE Attacks

The actively exploited Apache HTTP server zero-day flaw is far more critical than previously thought, with new proof-of-concept (PoC) exploits indicating that the vulnerability goes beyond path traversal to equip attackers with remote code execution (RCE) abilities. Security researcher Hacker Fantastic, on Twitter, noted that the vulnerability is β€œin fact also RCE providing mod-cgi is enabled.”

Will Dormann, vulnerability analyst at CERT/CC, corroborated the findings, adding β€œI was not doing anything clever other than just reproducing essentially the public PoC on Windows when I saw calc.exe spawn.”

Found this article interesting? Follow THN on Facebook, Twitter ο‚™ and LinkedIn to read more exclusive content we post.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P