Users of the open source Apache HTTP Server who have updated to the recently released version 2.4.49 are advised to update to 2.4.50 immediately to apply fixes for a recently leaked zero-day that is already actively exploited by malicious actors.
First reported a week ago, on September 29, the accelerated patch reflects the widespread use of Apache Software Foundation’s free, cross-platform web server software, which dates back to the mid-1990s and has been a driving force behind the rapid development of the world. wide web at the time. It still serves about a quarter of the active websites in the world.
The new versions fix two vulnerabilities, of which day zero, tracked as CVE-2021-41773, is clearly the most urgent. It was identified and disclosed by Ash Daulton of the cPanel security team.
The flaw was found in a change to path normalization in the affected version of Apache, and it could allow an attacker to use a path traversal attack to map URLs to files outside the root document expected.
Apache said that if files outside the document root are not protected by “require all denied”, such requests may succeed, and additionally, the flaw may leak the source of interpreted files, such as CGI scripts. , to an attacker.
This only affects Apache 2.4.49, which was discontinued on September 15, so users who have not yet upgraded to this version are unaffected and should upgrade directly to 2.4.50.
Several cyber researchers say they have already reproduced CVE-2021-41773, and proof-of-concept exploits are circulating.
Sonatype’s Ax Sharma said that coupled with a separate issue, also reported earlier this week, in which misconfigured Apache Airflow servers were found to have leaked thousands of credentials, the incident demonstrated the importance a quick fix.
“Path traversal flaws should not be underestimated,” Sharma said. “Despite repeated reminders and advisories issued by Fortinet, the years-old VPN firewall vulnerability (CVE-2018-13379) continues to be exploited even today as many entities are behind on patches “, he noted.
“This year, attackers exploited the Fortinet path traversal flaw to leak the passwords of over 500,000 VPNs. That’s 10 times the number of VPN firewalls that were compromised last year by the same exploit,” he said.
Sharma said there were three takeaways from such an incident, namely:
- This active exploitation quickly follows disclosures, even when the process has been well coordinated and responsibly managed;
- That attackers will constantly monitor public exploits and search for vulnerable instances – a Shodan search reveals over 100,000 instances of Apache HTTP Server 2.4.49, 4,000 in the UK;
- And that every patch isn’t always good enough just because an issuer says so – threat actors can often find workarounds.
The leak of unrelated credentials was discovered by Intezer researchers Nicole Fishbein and Ryan Robinson in Apache’s Airflow workflow management platform, which is the open workflow application most recommended source on GitHub.
While probing a misconfiguration in Airflow, Fishbein and Robinson discovered multiple unprotected instances exposing credentials belonging to employees of organizations in biotechnology, cybersecurity, e-commerce, energy, finance, healthcare, IT, manufacturing, media and transportation.
Credentials related to accounts held with various services, including cloud hosting providers, payment processing, and social media platforms, including Amazon Web Services (AWS), Facebook, Klarna, PayPal, Slack and WhatsApp, but were not exposed by these organizations themselves.
“Companies loaded with large volumes of sensitive customer data need to be hypervigilant in their security processes,” said Pravin Rasiah, vice president of CloudSphere products.
“This includes following best practices around identifying and resolving any security misconfigurations that put data at risk in real time. Security misconfigurations are often the result of incomplete data infrastructure visibility and a lack of security authorization guardrails.
“What may appear to be only a minor oversight in coding practices, as the researchers indicated was likely the case here, can ultimately have devastating implications for a brand’s reputation, as the trust of customers relies first and foremost on the security of their data,” he said.
“With a comprehensive assessment of the security posture of applications hosted in their cloud environment along with the ability to troubleshoot issues in real time, businesses can operate securely without putting customer data at risk.”
This article was updated at 09:35 BST on October 7, 2021 to clarify the nature of the Airflow credentials leak