Path Traversal and Remote Code Execution in Apache HTTP Server, CVE-2021-41773
On October 4th, 2021, Apache disclosed a path traversal vulnerability CVE-2021-41773 that affects HTTP Server version 2.4.49. The vulnerability was introduced in this version (2.4.49) and is patched in version 2.4.50.
This path traversal vulnerability allows sensitive files outside of the expected document root to be accessed, such as configuration files and Common Gateway Interface (CGI) scripts. This allows for specially crafted requests to read arbitrary files as well as perform Remote Code Execution (RCE) on systems that have the Apache “mod_cgi” module enabled.
On October 3rd, 2021, at 08:44 UTC, GreyNoise observed the first scan for this vulnerability from 36.68.53.196. This predates the mailing list announcement from Apache on October 5th as well as the release of 2.4.50 on October 4th, but after the patch was committed on September 29th. [View 36.68.53.196 in GreyNoise]
As of October 5th, 2021, the first Proof of Concept (POC) code became available which demonstrated arbitrary file read. It was closely followed by a POC demonstrating RCE.
GreyNoise Tag for CVE-2021-41773
GreyNoise has released the following tag to enable monitoring of relevant activity:
- Apache HTTP Server Path Traversal Attempt: The vulnerability attempt tag for CVE-2021-41773, path traversal vulnerability in Apache HTTP Server v2.4.49 which can lead to arbitrary file read and remote code execution. [View In GreyNoise]*
As of 7-Oct-21, GreyNoise is seeing 47 unique IP addresses that have scanned for this vulnerability, 39 of which are “malicious” and 8 of which are “benign."
* Editor’s Note: If this tag returns “No results found’,' this means that GreyNoise has not observed any IP addresses scanning the internet for this CVE in the past 90 days. You can use GreyNoise to notify you if this changes by using our Alerts feature.
10/15/21: This blog has been updated with Figure 1 to depict the timeline of events.
.png)
