On October 4, 2021, Apache published a patch to CVE-2021-41773/CVE-2021-42013, a path traversal and file disclosure vulnerability, affecting Apache HTTP Server version 2.4.49. Their report also shared that the vulnerability has been exploited in the wild. Since the publication went live, multiple exploits have been published online, including remote code execution exploits. On October 7, Apache released an updated patch since the first one, version 2.4.50, was insufficient, and assigned CVE-2021-42013 to the original vulnerable patch.
Apache HTTP Server is commonly used as a web server and thus, the impact of the vulnerability in an organization’s environment may be wide reaching, should it be exploited. . We urge Apache HTTP Server users to patch their vulnerable servers as soon as possible.
In this blog post, we will highlight the risks this vulnerability poses to cloud environments and share some guidance on how to mitigate them.
The root of the vulnerability is in a change made to path normalization in Apache HTTP Server 2.4.49 (previous versions are not impacted). According to the original Apache advisory, exploitation of the vulnerability can provide attackers with the following capabilities:
Map URLs to files outside the expected document root using a path traversal attack
Access to files outside the document root
Access to the source of interpreted files as CGI scripts, that in turn can be used for additional attacks
Following the initial publication, multiple security researchers published online exploits of the vulnerability that allow for bad actors to remotely execute commands on targeted Apache HTTP Servers. In addition, other researchers have discovered that the fix deployed in version 2.4.50 can be bypassed. As a result, Apache released a new patch (2.4.51) three days after the first one.
The combination of an exposed widely-used web server with a severe and exploitable vulnerability prompted attackers to immediately start scanning the internet for vulnerable targets. We are aware of multiple scanning activities as of the publishing of this post.
Apache HTTP Servers are commonly used as web servers. As such, they usually require access to backend resources like databases. Access to these resources can be achieved with username and password or database keys. Attackers who obtain such secrets stored on a web server by exploiting CVE-2021-41773/CVE-2021-42013 can leverage them to access sensitive data that can be then used for malicious purposes: further attacks, leaks, blackmailing, and more.
Beyond accessing specific resources, there is a more pernicious risk to this vulnerability. In cloud environments, identity (IAM) cloud keys are used broadly by cloud compute resources. These keys grant access to databases, storage services, Identity and Access Management, compute and many more through the permissions attached to their role.
Unfortunately, in many cases, cloud identities are misused and provide wide permissions that are not necessary for their specific usage. Cloud identity management is complex and when accessing a database, it may be easier to use an admin role instead of a specific restricted role. Such practices are wrong and dangerous.
In some cases, these cloud keys are stored on the web server disk and, in the instance of a path traversal and file disclosure vulnerability, such as CVE-2021-41773/CVE-2021-42013, attackers would be able to look for common credential paths and obtain them. If these cloud keys have admin permissions, attackers will be able to use them to assume the admin role, and effectively takeover the entire targeted cloud environment.
As mentioned earlier, we suggest that all Apache HTTP Server users address this vulnerability as soon as possible. To remediate, the first step you should take is to gather a list of all your VMs and containers that run the Apache HTTP Server. Then, you should review the Apache HTTP Server version on those resources. All Apache HTTP Servers with version 2.4.49 and 2.4.50 (the initial insufficient fix) are vulnerable and require patching to the fixed version – 2.4.51. No other workarounds are known at this time.
If patching is not possible, we recommend deactivating the resource or blocking internet access to it. For cloud environments, we highly recommend ensuring that internet-facing workloads have the most limited permissions possible for their function and do not store sensitive overly permissive secrets, such as admin cloud keys. In addition, if possible, use more secure alternatives to cloud keys storage on the disk, such as metadata services.
Wiz is a full stack agentless solution for securing cloud environments. The unique scanning technology allows users to detect Apache HTTP Servers installations and their version number across their environments in minutes after deployment, track the upgrade process, and prioritize patching based on toxic combinations like external exposure or admin permissions on the affected resource.
On top of inventory management and vulnerability detection, Wiz automatically detects encrypted secrets or secret-related public data on workloads’ disks and analyzes them using their metadata. This mechanism enables Wiz to detect high-permission cloud keys, database authentication data, private keys, and much more that can be used by attackers to move laterally, access sensitive data, etc. This can help users determine which resources are most at risk to the Apache HTTP Server exploit and should be addressed first.
With Wiz, you get full visibility into an attack chain with a single query that:
Lists all workloads and their vulnerable applications
Analyzes each workload’s network exposure
Detects sensitive secret information stored on the workloads (e.g. cloud keys)
The Wiz Threat Center contains a pre-built query that retrieves all resources with vulnerable Apache HTTP Server versions and their corresponding escalation paths with one click. The Threat Center is the place to see other critical issues in your environment as well.
Whether you’re a Wiz customer or not, the Apache HTTP Server vulnerability CVE-2021-41773/CVE-2021-42013 is one to take seriously, given the potential impact. Following the remediation steps in this post will help you to identify and minimize the risk. Stay tuned for any updates.