CVE-2021-41773: Understanding the Apache HTTP Server Path Normalization Flaw and Potential Exploits

A recent vulnerability has been discovered in the Apache HTTP Server version 2.4.49, which has severe implications for the security and integrity of web applications. The vulnerability, known as CVE-2021-41773, has been found in the server's path normalization function, and it can leave web applications susceptible to path traversal attacks and remote code execution. In this post, we will delve into the details of this vulnerability, its potential exploits, and the actions needed to mitigate its threats.

Background

The Apache HTTP Server, often simply called Apache, is one of the most widely used web servers around the world. It powers a significant portion of the internet, so when a vulnerability is discovered, it should be taken seriously. CVE-2021-41773 affects Apache version 2.4.49 specifically.

The vulnerability was discovered in a recent change made in Apache HTTP Server's path normalization, which is designed to ensure that URLs only map to files within specified directories. Unfortunately, this change introduced a flaw that allows attackers to perform a path traversal attack to map URLs to files outside the designated directories.

Exploit Details

An attacker can exploit this vulnerability by sending crafted requests to the web server, which then incorrectly maps the request to a file outside of the designated directories. If the server's configuration does not deny access to files outside these directories (which is the default behavior in most cases), the attacker can successfully access sensitive files, potentially leading to critical information leakage.

Additionally, if a server has CGI scripts enabled for the aliased paths, this vulnerability could be exploited further, leading to remote code execution. This means an attacker could execute arbitrary code on the affected server, taking control of it and causing devastating damage to the targeted application and its users.

It's worth mentioning that this vulnerability is known to have been exploited in the wild, making it a significant threat to Apache 2.4.49 users.

Original References

The vulnerability was initially reported by the Apache HTTP Server project, and more information about it can be found in their official advisory:

- Apache HTTP Server 2.4.49 Path Traversal Vulnerability

It's important to note that the fix in Apache HTTP Server 2.4.50 was found to be incomplete, leading to the discovery of another vulnerability, CVE-2021-42013, which is related to the same path normalization issue.

Affected users should implement the following measures to address the vulnerability

1. Update the Apache HTTP Server to the latest version. As of this writing, version 2.4.53 is the most recent release that contains fixes for both CVE-2021-41773 and CVE-2021-42013. You can download the latest version at Apache HTTP Server website.

2. Ensure that the configuration files have the directive "Require all denied" for all files outside of the designated directories. This will prevent unauthorized access to sensitive files outside the designated directories.

Timeline

Published on: 10/05/2021 09:15:00 UTC
Last modified on: 10/28/2022 16:16:00 UTC