Executive Summary
CVE-2021-42013 is a critical vulnerability in the Apache HTTP Server, specifically affecting versions 2.4.49 and 2.4.50. This vulnerability is an extension of CVE-2021-41773, which was initially discovered and patched. However, the fix for CVE-2021-41773 was found to be insufficient, leading to the discovery of CVE-2021-42013. This vulnerability allows an attacker to perform a path traversal attack, enabling them to map URLs to files outside the directories configured by Alias-like directives. If these files are not protected by the default configuration "require all denied," the attacker can access them. Additionally, if CGI scripts are enabled for these paths, it could lead to remote code execution (RCE). The vulnerability has a CVSS v3.1 score of 9.8, indicating its critical nature. Immediate action is required to update the server and review configurations to mitigate the risk of exploitation.
Technical Information
CVE-2021-42013 is a critical vulnerability in the Apache HTTP Server, specifically affecting versions 2.4.49 and 2.4.50. This vulnerability is an extension of CVE-2021-41773, which was initially discovered and patched. However, the fix for CVE-2021-41773 was found to be insufficient, leading to the discovery of CVE-2021-42013. The vulnerability allows an attacker to perform a path traversal attack, enabling them to map URLs to files outside the directories configured by Alias-like directives. If these files are not protected by the default configuration "require all denied," the attacker can access them. Additionally, if CGI scripts are enabled for these paths, it could lead to remote code execution (RCE).
The vulnerability has a CVSS v3.1 score of 9.8, indicating its critical nature. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The CVSS v2.0 score is 7.5, with a vector of AV:N/AC:L/Au:N/C:P/I:P/A:P. The vulnerability affects Apache HTTP Server versions 2.4.49 and 2.4.50.
The vulnerability allows an attacker to perform a path traversal attack, enabling them to map URLs to files outside the directories configured by Alias-like directives. If these files are not protected by the default configuration "require all denied," the attacker can access them. Additionally, if CGI scripts are enabled for these paths, it could lead to remote code execution (RCE). The vulnerability has been actively exploited in the wild, with attackers using it to perform path traversal and remote code execution attacks. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, indicating its active exploitation.
Exploitation in the Wild
This vulnerability has been actively exploited in the wild. Attackers have used it to perform path traversal and remote code execution attacks. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, indicating its active exploitation. Specific instances of exploitation include:
- Juniper Blog on Apache HTTP Server Exploits: https://blogs.juniper.net/en-us/threat-research/apache-http-server-cve-2021-42013-and-cve-2021-41773-exploited
- Twitter Post by Attila Deak: https://twitter.com/AttilaDeak01/status/1467148599662465035
- CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Packet Storm Security - Path Traversal Code Execution: http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html
- Packet Storm Security - Remote Code Execution: http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- GitHub - BassoNicolas/CVE-2021-42013: https://github.com/BassoNicolas/CVE-2021-42013
- GitHub - TheLastVvV/CVE-2021-42013_Reverse-Shell: https://github.com/TheLastVvV/CVE-2021-42013_Reverse-Shell
- GitHub - Vulnmachines/cve-2021-42013: https://github.com/Vulnmachines/cve-2021-42013
- GitHub - ahmad4fifz/CVE-2021-42013: https://github.com/ahmad4fifz/CVE-2021-42013
- GitHub - andrea-mattioli/apache-exploit-CVE-2021-42013: https://github.com/andrea-mattioli/apache-exploit-CVE-2021-42013
- GitHub - asaotomo/CVE-2021-42013-Apache-RCE-Poc-Exp: https://github.com/asaotomo/CVE-2021-42013-Apache-RCE-Poc-Exp
- GitHub - rapid7/metasploit-framework: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/apache_normalize_path.rb
- GitHub - rapid7/metasploit-framework: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_normalize_path_rce.rb
- GitHub - tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway: https://github.com/tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway
- GitHub - twseptian/cve-2021-42013-docker-lab: https://github.com/twseptian/cve-2021-42013-docker-lab
- GitHub - walnutsecurity/cve-2021-42013: https://github.com/walnutsecurity/cve-2021-42013
- Packet Storm Security - Path Traversal Code Execution: https://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html
- Povilaika Blog on Apache 2.4.50 Exploit: https://www.povilaika.com/apache-2-4-50-exploit/
APT Groups using this vulnerability
While specific APT groups exploiting this vulnerability have not been publicly identified, the nature of the vulnerability makes it a valuable target for various threat actors, including state-sponsored groups and cybercriminals. The sectors and countries targeted by these groups often include critical infrastructure, government agencies, and large enterprises across the globe.
Affected Product Versions
The affected product versions are Apache HTTP Server 2.4.49 and Apache HTTP Server 2.4.50. It is crucial for organizations using these versions to update to the latest version to mitigate the risk of exploitation.
Workaround and Mitigation
To mitigate the risk of exploitation, organizations should take the following steps:
- Update Apache HTTP Server: Ensure that your Apache HTTP Server is updated to the latest version, which includes patches for CVE-2021-42013.
- Configuration Review: Review and update your server configuration to ensure that files outside the intended directories are protected by the "require all denied" directive.
- Disable CGI Scripts: If not required, disable CGI scripts to reduce the risk of remote code execution.
References
For further details and updates, refer to the following sources:
- Juniper Blog on Apache HTTP Server Exploits: https://blogs.juniper.net/en-us/threat-research/apache-http-server-cve-2021-42013-and-cve-2021-41773-exploited
- Twitter Post by Attila Deak: https://twitter.com/AttilaDeak01/status/1467148599662465035
- CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Packet Storm Security - Path Traversal Code Execution: http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html
- Packet Storm Security - Remote Code Execution: http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- GitHub - BassoNicolas/CVE-2021-42013: https://github.com/BassoNicolas/CVE-2021-42013
- GitHub - TheLastVvV/CVE-2021-42013_Reverse-Shell: https://github.com/TheLastVvV/CVE-2021-42013_Reverse-Shell
- GitHub - Vulnmachines/cve-2021-42013: https://github.com/Vulnmachines/cve-2021-42013
- GitHub - ahmad4fifz/CVE-2021-42013: https://github.com/ahmad4fifz/CVE-2021-42013
- GitHub - andrea-mattioli/apache-exploit-CVE-2021-42013: https://github.com/andrea-mattioli/apache-exploit-CVE-2021-42013
- GitHub - asaotomo/CVE-2021-42013-Apache-RCE-Poc-Exp: https://github.com/asaotomo/CVE-2021-42013-Apache-RCE-Poc-Exp
- GitHub - rapid7/metasploit-framework: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/apache_normalize_path.rb
- GitHub - rapid7/metasploit-framework: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_normalize_path_rce.rb
- GitHub - tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway: https://github.com/tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway
- GitHub - twseptian/cve-2021-42013-docker-lab: https://github.com/twseptian/cve-2021-42013-docker-lab
- GitHub - walnutsecurity/cve-2021-42013: https://github.com/walnutsecurity/cve-2021-42013
- Packet Storm Security - Path Traversal Code Execution: https://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html
- Povilaika Blog on Apache 2.4.50 Exploit: https://www.povilaika.com/apache-2-4-50-exploit/
Rescana is here for you
At Rescana, we understand the critical importance of protecting your systems from vulnerabilities like CVE-2021-42013. Our Continuous Threat and Exposure Management (CTEM) platform helps you stay ahead of potential threats by providing real-time monitoring, threat intelligence, and automated remediation. We are committed to helping you secure your infrastructure and mitigate risks effectively. If you have any questions about this report or any other issue, please feel free to contact us at ops@rescana.com.
Comments