Detect CVE-2021-41773: Path Traversal Zero-Day in Apache HTTP Server

Last week security researchers identified a severe security hole affecting Apache HTTP Server. The flaw (CVE-2021-41773) enables unauthorized adversaries to access the sensitive data stored on the web server via a path traversal attack. The vulnerability immediately drove the attention of hackers being massively exploited in the wild despite the patch released on October 5, 2021.

CVE-2021-41773 Description

The vulnerability occurred after path normalization configuration settings were changed with the release of Apache HTTP Server v. 2.4.49. As a result, Apache HTTP Servers became exposed to path traversal attacks enabling hackers to map URLs to files outside the expected document root. Threat actors could send specific requests to jump into the backend or sensitive server directories. Such files are usually out of reach for unauthorized parties, however, the flaw provides the way to overcome the protections and filters by leveraging the encoded characters (ASCII) for the URLs. The Apache advisory details that CVE-2021-41773 may also lead to the leakage of the source of interpreted files like CGI scripts.

The only limitation for the attackers to exploit this vulnerability is the fact that targeted Apache HTTP Server 2.4.49 should have the “require all denied” access control setting turned off. Yet, this is usually the default configuration.

Currently, a Shodan search indicates over 100,000 Apache HTTP Server v.2.4.49 installations exposed online, with the majority of them expected to be vulnerable. 

CVE-2021-41773 Detection and Mitigation

In a view of massive exploitation in the wild, admins are urged to upgrade their software ASAP. The fixes and advisory for this vulnerability were released urgently by Apache on October 5, 2021. 

To detect the malicious activity associated with CVE-2021-41773 zero-day, you can download a free Sigma rule available in the SOC Prime platform.

CVE-2021-41773 Exploitation Attempt

The detection has translations for the following SIEM SECURITY ANALYTICS platforms: Azure Sentinel, ELK Stack, Chronicle Security, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Securonix.

Also, the rule is mapped to MITRE ATT&CK methodology addressing the  Initial Access tactics and the Exploit Public-Facing Applications technique (t1190).

Looking for ways to address your custom use cases, boost threat discovery, and streamline hunting capabilities with a single cost-efficient solution? Explore the newly released SOC Prime’s platform that serves all your security needs in a single space driven to make your threat detection experience faster, simpler, and more intelligent. Want to join our crowdsourcing initiative and become one of our content contributors? Get started with the industry-first Threat Bounty Program!

Go to Platform Join Threat Bounty