top of page

Critical Apache HTTP Server Vulnerability CVE-2021-42013: Path Traversal and RCE Threats

CVE Image for report on CVE-2021-42013

Executive Summary

CVE-2021-42013 is a critical vulnerability in the Apache HTTP Server, specifically affecting versions 2.4.49 and 2.4.50. This vulnerability is an extension of CVE-2021-41773, which was initially discovered and patched. However, the fix for CVE-2021-41773 was found to be insufficient, leading to the discovery of CVE-2021-42013. This vulnerability allows an attacker to perform a path traversal attack, enabling them to map URLs to files outside the directories configured by Alias-like directives. If these files are not protected by the default configuration "require all denied," the attacker can access them. Additionally, if CGI scripts are enabled for these paths, it could lead to remote code execution (RCE). The vulnerability has a CVSS v3.1 score of 9.8, indicating its critical nature. Immediate action is required to update the server and review configurations to mitigate the risk of exploitation.

Technical Information

CVE-2021-42013 is a critical vulnerability in the Apache HTTP Server, specifically affecting versions 2.4.49 and 2.4.50. This vulnerability is an extension of CVE-2021-41773, which was initially discovered and patched. However, the fix for CVE-2021-41773 was found to be insufficient, leading to the discovery of CVE-2021-42013. The vulnerability allows an attacker to perform a path traversal attack, enabling them to map URLs to files outside the directories configured by Alias-like directives. If these files are not protected by the default configuration "require all denied," the attacker can access them. Additionally, if CGI scripts are enabled for these paths, it could lead to remote code execution (RCE).

The vulnerability has a CVSS v3.1 score of 9.8, indicating its critical nature. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The CVSS v2.0 score is 7.5, with a vector of AV:N/AC:L/Au:N/C:P/I:P/A:P. The vulnerability affects Apache HTTP Server versions 2.4.49 and 2.4.50.

The vulnerability allows an attacker to perform a path traversal attack, enabling them to map URLs to files outside the directories configured by Alias-like directives. If these files are not protected by the default configuration "require all denied," the attacker can access them. Additionally, if CGI scripts are enabled for these paths, it could lead to remote code execution (RCE). The vulnerability has been actively exploited in the wild, with attackers using it to perform path traversal and remote code execution attacks. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, indicating its active exploitation.

Exploitation in the Wild

This vulnerability has been actively exploited in the wild. Attackers have used it to perform path traversal and remote code execution attacks. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, indicating its active exploitation. Specific instances of exploitation include:

  1. Juniper Blog on Apache HTTP Server Exploits: https://blogs.juniper.net/en-us/threat-research/apache-http-server-cve-2021-42013-and-cve-2021-41773-exploited
  2. Twitter Post by Attila Deak: https://twitter.com/AttilaDeak01/status/1467148599662465035
  3. CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  4. Packet Storm Security - Path Traversal Code Execution: http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html
  5. Packet Storm Security - Remote Code Execution: http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
  6. GitHub - BassoNicolas/CVE-2021-42013: https://github.com/BassoNicolas/CVE-2021-42013
  7. GitHub - TheLastVvV/CVE-2021-42013_Reverse-Shell: https://github.com/TheLastVvV/CVE-2021-42013_Reverse-Shell
  8. GitHub - Vulnmachines/cve-2021-42013: https://github.com/Vulnmachines/cve-2021-42013
  9. GitHub - ahmad4fifz/CVE-2021-42013: https://github.com/ahmad4fifz/CVE-2021-42013
  10. GitHub - andrea-mattioli/apache-exploit-CVE-2021-42013: https://github.com/andrea-mattioli/apache-exploit-CVE-2021-42013
  11. GitHub - asaotomo/CVE-2021-42013-Apache-RCE-Poc-Exp: https://github.com/asaotomo/CVE-2021-42013-Apache-RCE-Poc-Exp
  12. GitHub - rapid7/metasploit-framework: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/apache_normalize_path.rb
  13. GitHub - rapid7/metasploit-framework: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_normalize_path_rce.rb
  14. GitHub - tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway: https://github.com/tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway
  15. GitHub - twseptian/cve-2021-42013-docker-lab: https://github.com/twseptian/cve-2021-42013-docker-lab
  16. GitHub - walnutsecurity/cve-2021-42013: https://github.com/walnutsecurity/cve-2021-42013
  17. Packet Storm Security - Path Traversal Code Execution: https://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html
  18. Povilaika Blog on Apache 2.4.50 Exploit: https://www.povilaika.com/apache-2-4-50-exploit/

APT Groups using this vulnerability

While specific APT groups exploiting this vulnerability have not been publicly identified, the nature of the vulnerability makes it a valuable target for various threat actors, including state-sponsored groups and cybercriminals. The sectors and countries targeted by these groups often include critical infrastructure, government agencies, and large enterprises across the globe.

Affected Product Versions

The affected product versions are Apache HTTP Server 2.4.49 and Apache HTTP Server 2.4.50. It is crucial for organizations using these versions to update to the latest version to mitigate the risk of exploitation.

Workaround and Mitigation

To mitigate the risk of exploitation, organizations should take the following steps:

  1. Update Apache HTTP Server: Ensure that your Apache HTTP Server is updated to the latest version, which includes patches for CVE-2021-42013.
  2. Configuration Review: Review and update your server configuration to ensure that files outside the intended directories are protected by the "require all denied" directive.
  3. Disable CGI Scripts: If not required, disable CGI scripts to reduce the risk of remote code execution.

References

For further details and updates, refer to the following sources:

  1. Juniper Blog on Apache HTTP Server Exploits: https://blogs.juniper.net/en-us/threat-research/apache-http-server-cve-2021-42013-and-cve-2021-41773-exploited
  2. Twitter Post by Attila Deak: https://twitter.com/AttilaDeak01/status/1467148599662465035
  3. CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  4. Packet Storm Security - Path Traversal Code Execution: http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html
  5. Packet Storm Security - Remote Code Execution: http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
  6. GitHub - BassoNicolas/CVE-2021-42013: https://github.com/BassoNicolas/CVE-2021-42013
  7. GitHub - TheLastVvV/CVE-2021-42013_Reverse-Shell: https://github.com/TheLastVvV/CVE-2021-42013_Reverse-Shell
  8. GitHub - Vulnmachines/cve-2021-42013: https://github.com/Vulnmachines/cve-2021-42013
  9. GitHub - ahmad4fifz/CVE-2021-42013: https://github.com/ahmad4fifz/CVE-2021-42013
  10. GitHub - andrea-mattioli/apache-exploit-CVE-2021-42013: https://github.com/andrea-mattioli/apache-exploit-CVE-2021-42013
  11. GitHub - asaotomo/CVE-2021-42013-Apache-RCE-Poc-Exp: https://github.com/asaotomo/CVE-2021-42013-Apache-RCE-Poc-Exp
  12. GitHub - rapid7/metasploit-framework: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/apache_normalize_path.rb
  13. GitHub - rapid7/metasploit-framework: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_normalize_path_rce.rb
  14. GitHub - tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway: https://github.com/tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway
  15. GitHub - twseptian/cve-2021-42013-docker-lab: https://github.com/twseptian/cve-2021-42013-docker-lab
  16. GitHub - walnutsecurity/cve-2021-42013: https://github.com/walnutsecurity/cve-2021-42013
  17. Packet Storm Security - Path Traversal Code Execution: https://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html
  18. Povilaika Blog on Apache 2.4.50 Exploit: https://www.povilaika.com/apache-2-4-50-exploit/

Rescana is here for you

At Rescana, we understand the critical importance of protecting your systems from vulnerabilities like CVE-2021-42013. Our Continuous Threat and Exposure Management (CTEM) platform helps you stay ahead of potential threats by providing real-time monitoring, threat intelligence, and automated remediation. We are committed to helping you secure your infrastructure and mitigate risks effectively. If you have any questions about this report or any other issue, please feel free to contact us at ops@rescana.com.

10 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page