Threat Signal Report
Newly Disclosed Apache Vulnerability (CVE-2021-41773) Exploited in the Wild
Update 10/8 - IPS section appended with newly available IPS signature.
Update 10/7 - APPENDIX section updated with announcements from Apache and US-CERT on the release of version 2.4.51
FortiGuard Labs is aware that a new Apache vulnerability (CVE-2021-41773) was disclosed by the Apache Software Foundation today. According to the advisory they posted, this vulnerability is being exploited in the wild. A patch was released along with the advisory. Servers that run Apache HTTP Server 2.4.49 with the "require all denied" access control configuration disabled (appears to be the default setting) are vulnerable.
Why is this Significant?
This is significant because Apache HTTP Server is one of the most widely used web servers, and the vulnerability is being actively exploited in the wild. A search on Shodan shows more than 100k servers around the globe are running the vulnerable Apache HTTP server 2.4.49.
What is the New Apache Vulnerability?
The vulnerability (CVE-2021-41773) is a path traversal and file disclosure vulnerability. Because of the flaw, backend or sensitive directories that are normally inaccessible become reachable by using encoded characters for the URLs if not blocked by the "require all denied" access control configuration. Additionally, the vulnerability could leak the source of interpreted files like CGI scripts.
What Versions of Apache HTTP Server are Vulnerable?
Apache HTTP Server 2.4.49 with the "require all denied" access control configuration disabled are vulnerable. It appears that "require all denied" access control configuration is disabled by default.
Has the Vendor Released an Advisory?
Yes, the advisory has been released by the Apache Software Foundation. See the Appendix for a link to "Apache HTTP Server 2.4 vulnerabilities".
Has the Vendor Released a Patch? (Updated on 10/08)
Apache 2.4.51 was released on October 8th, 2021 as the fix for CVE-2021-41773 included in Apache 2.4.50 (released on October 5th) was determined to be insufficient. CVE-2021-42013 was assigned to the newer security flaw associated with the insufficient fix. CVE-2021-42013 affects Apache 2.4.49 and Apache 2.4.50.
What is the Status of Coverage?
IPS coverage is available for CVE-2021-41773 as:
Traffic Light Protocol
|Color||When Should it Be used?||How may it be shared?|
TLP: REDNot for disclosure, restricted to participants only.
|Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused.||Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.|
TLP: AMBERLimited disclosure, restricted to participants’ organizations.
|Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.||Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.|
TLP: GREENLimited disclosure, restricted to the community.
|Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.||Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.|
TLP: WHITEDisclosure is not limited.
|Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.||Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.|