Analysis activity for Apache Flaw began before public disclosure
Two days before the Apache Software Foundation announced a fix for a path traversal vulnerability under active attack, researchers were already seeing malicious actors scouring vulnerable servers.
Scanning activity began five days after the patch was posted for CVE-2021-41773 on the Apache HTTP web server source, but before the vulnerability was publicly announced on the Apache mailing list. Less than a day after the updated version of the web server was released, a proof-of-concept exploit was available, and soon after, researchers discovered that the vulnerability could also lead to code execution. remotely under certain circumstances.
“On October 3, 2021 at 08:44 UTC, GreyNoise observed the first scan of this vulnerability from 220.127.116.11. This predates the Apache mailing list announcement on October 5 and the release of 2.4.50 on October 4, but after the patch was validated on September 29 ”, GreyNoise researchers said in an article on Thursday.
The IP address scan for Apache flaw is a known malicious flaw in Indonesia that has been observed for a variety of vulnerabilities, including other Apache flaws, Citrix bugs, and Cisco vulnerabilities.
“CISA is also seeing continued analysis of vulnerable systems, which is expected to accelerate, possibly leading to exploitation.”
Things picked up again on Thursday when Apache released another update because the original patch for the path crossing vulnerability was insufficient. This new update, version 2.4.51, addresses the issue of remote code execution.
“The fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was found to be insufficient. An attacker could use a path traversal attack to map URLs to files outside of directories configured by directives from type Alias. If files outside of these directories are not protected by the usual default “request all denied” configuration, these requests may be successful. If CGI scripts are also enabled for these alias paths, it could allow l ‘remote code execution,’ the ASF said in a notice Thursday.
Since the announcement of the original update on October 5, mass scanning activity has continued across the Internet, and this has continued since the release of the second update, because attackers seek to take advantage of organizations that have not had time to deploy patched versions yet.
“These vulnerabilities have been exploited in nature. CISA is also seeing continued analysis of vulnerable systems, which is expected to accelerate, possibly leading to exploitation, ”the Cybersecurity and Infrastructure Security Agency said in a statement. advisory Thusday.