Path Traversal and Remote Code Execution in Apache HTTP Server, CVE-2021-41773

On October 4th, 2021, Apache disclosed a path traversal vulnerability CVE-2021-41773 that affects HTTP Server version 2.4.49. The vulnerability was introduced in this version (2.4.49) and is patched in version 2.4.50.

This path traversal vulnerability allows sensitive files outside of the expected document root to be accessed, such as configuration files and Common Gateway Interface (CGI) scripts. This allows for specially crafted requests to read arbitrary files as well as perform Remote Code Execution (RCE) on systems that have the Apache “mod_cgi” module enabled.

Figure 1: GreyNoise Timeline of CVE-2021-41773
Figure 1: GreyNoise Timeline of CVE-2021-41773GreyNoise Intelligence

On October 3rd, 2021, at 08:44 UTC, GreyNoise observed the first scan for this vulnerability from 36.68.53.196. This predates the mailing list announcement from Apache on October 5th as well as the release of 2.4.50 on October 4th, but after the patch was committed on September 29th. [View 36.68.53.196 in GreyNoise]

Figure 2: GreyNoise sensors observed scanning activity prior to vulnerability disclosure.
Figure 2: GreyNoise sensors observed scanning activity prior to vulnerability disclosure.

As of October 5th, 2021, the first Proof of Concept (POC) code became available which demonstrated arbitrary file read. It was closely followed by a POC demonstrating RCE.

Figure 1: Count of CVE-2021-41773 Attempts by Day
Figure 2: Count of CVE-2021-41773 Attempts by Day

GreyNoise Tag for CVE-2021-41773

GreyNoise has released the following tag to enable monitoring of relevant activity:

As of 7-Oct-21, GreyNoise is seeing 47 unique IP addresses that have scanned for this vulnerability, 39 of which are “malicious” and 8 of which are “benign."

Figure 3: GreyNoise Visualizer page showing all IP addresses scanning for CVE-2021-41773, data pulled on Oct. 7, 2021
Figure 3: GreyNoise Visualizer page showing all IP addresses scanning for CVE-2021-41773, data pulled on Oct. 7, 2021

* Editor’s Note: If this tag returns “No results found’,' this means that GreyNoise has not observed any IP addresses scanning the internet for this CVE in the past 90 days. You can use GreyNoise to notify you if this changes by using our Alerts feature.

10/15/21: This blog has been updated with Figure 1 to depict the timeline of events.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account