md3d - stock.adobe.com

Apache web server users urged to patch immediately

New zero-day in Apache HTTP Server is already being actively exploited and must be addressed immediately

Users of the open source Apache HTTP Server who have updated to recently released version 2.4.49 are being urged to update to 2.4.50 immediately to apply fixes for a newly disclosed zero-day that is already being actively exploited by malicious actors.

First reported a week ago on 29 September, the expedited fix reflects the widespread usage of the Apache Software Foundation’s free, cross-platform web server software, which dates back to the mid-1990s and was a driving force in the rapid development of the world wide web at the time. It still serves around a quarter of active websites globally.

The new releases address two vulnerabilities, of which the zero-day, tracked as CVE-2021-41773, is clearly the most pressing. It was identified and disclosed by Ash Daulton of the cPanel Security Team.

The flaw was found in a change made to path normalisation in the affected version of Apache, and it could allow an attacker to use a path traversal attack to map URLs to files outside the expected document root.

Apache said that if files outside of the document root aren’t protected by “require all denied”, such requests can succeed, and furthermore, the flaw can leak the source of interpreted files, such as CGI scripts, to an attacker.

It only affects Apache 2.4.49, which dropped on 15 September, so users who have not yet upgraded to this version are not affected, and should skip straight to 2.4.50.

Multiple cyber researchers say they have already reproduced CVE-2021-41773, and proof-of-concept exploits are circulating.

Read more about vulnerability disclosure

Sonatype’s Ax Sharma said that coupled with a separate issue, also reported earlier this week, in which misconfigured Apache Airflow servers were found to be leaking thousands of credentials, the incident demonstrated the importance of prompt patching.

“Path traversal flaws are not to be underestimated,” said Sharma. “Despite repeated reminders and advisories issued by Fortinet, the years-old VPN firewall vulnerability (CVE-2018-13379) continues to be exploited even today, because many entities are behind on patching,” he noted.

“This year, attackers exploited the Fortinet path traversal flaw to leak passwords from over 500,000 VPNs. That’s 10 times the number of VPN firewalls that were compromised last year through the same exploit,” he said.

Sharma said there were three takeaways from such an incident, namely:

  • That active exploitation quickly follows disclosures, even where the process has been well coordinated and responsibly managed;
  • That attackers will be constantly eyeing up public exploits and scanning for vulnerable instances – a Shodan search reveals over 100,000 instances of Apache HTTP Server 2.4.49, 4,000 in the UK;
  • And that not every fix is always sufficient just because an issuer says it is – threat actors can often find workarounds.

Credential leak

The unlinked credential leakage was found by researchers Nicole Fishbein and Ryan Robinson of Intezer in Apache’s Airflow workflow management platform, which is the most widely recommended open source workflow app on GitHub.

While probing a misconfiguration in Airflow, Fishbein and Robinson discovered several unprotected instances exposing credentials belonging to employees of organisations in the biotech, cyber security, e-commerce, energy, finance, healthcare, IT, manufacturing, media and transport industries.

The credentials related to accounts held with various services including cloud hosting providers, payment processing and social media platforms, including Amazon Web Services (AWS), Facebook, Klarna, PayPal, Slack, and WhatsApp, but were not exposed by those organisations themselves.

“Companies entrusted with large volumes of sensitive customer data must be hypervigilant in their security processes,” said CloudSphere product vice-president Pravin Rasiah.

“This includes following best practices regarding identifying and addressing any security misconfigurations that put the data at risk in real time. Security misconfigurations are often the result of incomplete data infrastructure visibility and lack of security authorisation guardrails.

“What may seem like just a minor oversight in coding practices, as researchers indicated was likely the case here, can ultimately have devastating repercussions on a brand’s reputation, as customer trust relies first and foremost on the security of their data,” he said.

“With a comprehensive security posture assessment of the applications hosted within their cloud environment along with the ability to remediate issues in real-time, companies can safely operate without putting customer data at risk.”

This article was updated at 09:35 BST on 7 October 2021 to clarify the nature of the Airflow credential leak

Read more on Hackers and cybercrime prevention