Users of the open source Apache HTTP server who have updated to the recently released version 2.4.49 are encouraged to update to 2.4.50 immediately to apply patches for a newly disclosed zero-day that is already actively exploited by malicious actors.
First reported a week ago on September 29, the fast-track patch reflects the widespread use of the Apache Software Foundation’s free, cross-platform web server software, which dates back to the mid-1990s and has been a driving force. in the rapid development of the wide web world at the time. it still serves about a quarter of active websites at the World level.
The flaw was found in a change to the normalization of paths in the affected version of Apache, and it could allow an attacker to use a path traversal attack to map URLs to files outside the root document expected.
Apache has stated that if files outside of the document root are not protected by “require all denied”, such requests may succeed, and furthermore, the vulnerability may disclose the source of interpreted files, such as CGI scripts. , to an attacker.
This only affects Apache 2.4.49, which was discontinued on September 15, so users who have not yet upgraded to this version are not affected and should upgrade directly to 2.4.50.
Several cyber researchers claim to have already reproduced CVE-2021-41773, and proof of concept exploits are circulating.
Sonatype Sharma Ax stated that, associated with a separate issue, also reported earlier this week, in which misconfigured Apache Airflow servers were found to be thousands of credentials leaked, the incident demonstrated the importance of a quick fix.
“Crossing faults should not be underestimated,” said Sharma. “Despite repeated reminders and advisories issued by Fortinet, the multi-year-old VPN firewall vulnerability (CVE-2018-13379) continues to be exploited to this day as many entities are behind schedule. updating patches, ”he noted.
“This year, the attackers exploited the Fortinet Road Crossing flaw to disclose passwords in excess of 500,000 VPN. This is 10 times the number of VPN firewalls that were compromised last year by the same feat,” he said.
Sharma said there were three takeaways from such an incident, namely:
- This active operation quickly follows disclosures, even when the process has been well coordinated and managed responsibly;
- That attackers will constantly monitor public exploits and scan for vulnerable instances – Shodan research reveals over 100,000 instances of Apache HTTP Server 2.4.49, of which 4,000 are in the UK;
- And that not all fixes are always enough just because an issuer says so – threat actors can often find workarounds.
Unlinked credential leak discovered by researchers Nicole Fishbein and Ryan Robinson of Intezer in Apache’s Airflow workflow management platform, which is the # 1 recommended open source workflow app on GitHub.
While probing a misconfiguration in Airflow, Fishbein and Robinson discovered several unprotected instances exposing credentials belonging to employees of organizations in the biotech, cybersecurity, e-commerce, energy, and other industries. finance, healthcare, IT, manufacturing, media and transportation.
Credentials related to accounts held with various services including cloud hosting providers, payment processing and social media platforms including Amazon Web Services (AWS), Facebook, Klarna, PayPal, Slack, and WhatsApp , were not exhibited by these organizations themselves.
“Companies with large volumes of sensitive customer data must be extra vigilant in their security processes,” said CloudSphere vice president of product Pravin Rasiah.
“This includes adhering to best practices for identifying and resolving security configuration errors that put data at risk in real time. Poor security configurations are often the result of incomplete visibility of the data infrastructure and a lack of security clearance guardrails.
“What may seem like a minor oversight in coding practices, as the researchers indicated was likely to be the case here, can ultimately have devastating repercussions on a brand’s reputation, as the trust of customers rely on the security of their data above all else, ”he said.
“With a comprehensive assessment of the security posture of applications hosted in their cloud environment and the ability to troubleshoot issues in real time, businesses can operate securely without putting customer data at risk. “
This article was updated at 9:35 a.m. BST on October 7, 2021 to clarify the nature of the Airflow credentials leak.