Application Security , Breach Notification , Cybercrime

Apache Issues Another Emergency Patch for Exploited Flaws

110,000 Servers Exposed to Active Attacks; US Government Urges Immediate Patching
Apache Issues Another Emergency Patch for Exploited Flaws
Users of Apache Server 2.4.49 (global heat map of known installations pictured) and 2.4.50 are being urged to update immediately to 2.4.51 (Source: Shodan)

Apache server software-using IT managers hoping for a bit of respite after being warned to immediately patch the software earlier this week are facing a fresh problem: The previous fix didn't work as advertised, thus necessitating a new update.

See Also: Splunk Named a 10-Time Leader in Gartner® Magic Quadrant™ for SIEM

The news comes ahead of what would have been a long, holiday weekend for many, with parts of the U.S. on Monday celebrating Columbus Day, recognized in some states and cities instead as Indigenous Peoples Day or Native American Day.

But the Cybersecurity and Infrastructure Security Agency says patching cannot wait until after Monday. "CISA urges organizations to patch immediately if they haven't already - this cannot wait until after the holiday weekend," it says in a Thursday security alert. "These vulnerabilities have been exploited in the wild."

The essential update comes via the Apache Software Foundation in the form of Apache HTTP Server version 2.4.51, which addresses path traversal and remote code execution vulnerabilities - respectively designated CVE-2021-41773 and CVE-2021-42013 - that exist in Apache HTTP Server versions 2.4.49 and 2.4.50.

"CISA is also seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation," it says.

The vulnerabilities pose a serious risk because a path traversal attack - aka directory traversal - enables attackers to access folders and files stored beyond a server's root folder. A remote code execution flaw, meanwhile, can be used by an attacker to run any code on a remote system, which can enable them to take full control of the system, dump all data being stored and more.

As found via a Friday search of the internet of things search engine Shodan for internet-facing versions 2.4.49 and 2.4.50 of the vulnerable software, "based upon server header information, at least 110,000 servers are currently exposed," according to an alert issued by Edinburgh, Scotland-based security testing firm and consultancy 7 Elements. But David Stubley, who heads the firm, notes that "many sites are configured to hide the exact version of Apache HTTP Server that they're running, so likely the number is bigger."

Stubley adds: "If CISA is recommending urgent patching prior to the weekend because of an increase in malicious scanning, I would urge organizations to prioritize this, while being mindful of testing their deployments first, to avoid unnecessary outages."

Update Obsoletes Wednesday Fix

If fixes for these flaws sound familiar, that's because Apache had already released a patch on Wednesday for CVE-2021-41773 in the form of Apache HTTP Server 2.4.50, before issuing this new one on Thursday. "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient," Apache says.

The risk centers on capabilities offered by the Alias module in Apache, which allows for URLs to be manipulated and controlled as they arrive at a server.

"An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives," Apache says. "If files outside of these directories are not protected by the usual default configuration 'require all denied,' these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution."

Apache notes that this particular flaw exists only in Apache 2.4.49, which was released on Sept. 16, and Apache 2.4.50, released Wednesday, and not in any prior versions.

In-the-Wild Attacks Target Flaws

Security researcher Tyler Hudak says an Apache honeypot he created Thursday evening with the CVE-2021-41773 flaw was quickly compromised by an in-the-wild attack. Hudak says the attack appeared to distribute Kinsing malware, mirroring behaviors described in a November 2020 Trend Micro report into the malicious code. The security firm describes Kinsing as being Golang-based - aka Go programming language-based - malware that includes a rootkit and runs on Linux systems.

Apache credited Ash Daulton of the cPanel Security Team with discovering CVE-2021-41773 and reporting it to Apache on Sept. 29.

The widely used cPanel web hosting control panel software is built on Apache server. Late on Thursday, cPanel said it updated the software to Apache HTTP Server version 2.4.51, and that users with automatic updates enabled would immediately see the fix get installed.

Apache credited the finding of its incomplete fix for CVE-2021-41773, as well as the fresh CVE-2021-42013 flaw, to three researchers: Juan Escobar from Dreamlab Technologies, Fernando Muñoz from Null Life CTF Team, and Shungo Kumasaka.

Follows Alert Over Apache Airflow Flaws

Apache was also in the news this week after researchers at cybersecurity firm Intezer identified multiple vulnerabilities in the Apache Airflow open-source workflow management platform.

The researchers warned that "thousands" of credentials had been exposed for organizations that use the tool. The researchers urged all Airflow users to update to version 2 of the software, which they say adds multiple security improvements, including removing a data leak risk they identified.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.