Technical analysis of the security vulnerability in the Apache Web Server proves how easily data was exposed worldwide with many affected servers being located in Greece.
Security researcher Dimitris Roussis analyzes how a vulnerability on the well-known Web Server Apache that has been identified as CVE-2021-41773 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773 ) currently reports data to thousands of servers worldwide. Vulnerability allows you to read through the Directory Traversal Attack all the files on the server where the Web Server is installed.
In the analysis that the researcher makes us initially 300 servers are required as a sample via the shodan search engine that have Apache Web Server installed in version 2.4.49.
Then through an automated script they check which of the servers the vulnerability really exists.
The end result of the script is creation of a file (vulnerable_servers.txt) which includes vulnerable servers.
Then, by executing the following simple curl command changing the IP and the path to the end we can now access any file we want on the Server.
It is worth noting that among the affected servers are many from Greece, as evidenced by the Shodan search engine.
The above study proves on the one hand that one vulnerability can lead to the disclosure of data on a large scale worldwide and on the other hand the necessity immediate implementation of software updates by the System Administrators.
Apache Zero-day vulnerability
Proof-of-Concept (PoC) exploits for zero-day vulnerabilities in the Apache web server have recently surfaced on the internet revealing that the vulnerability is far more critical than the initial revelation.
These exploits show that the range of vulnerabilities exceeds the path path, allowing attackers to perform remote code (RCE) capabilities.
Apache remains one of the most popular web server of choice with over 25% market share.
From the so-called "path traversal" to remote code execution
The path traversal vulnerability in the Apache HTTP server has been actively used by hackers before the Apache project was notified of the defect in September or has the opportunity to fix it.
But the recent revelation of the Apache path traversal webserver defect, identified as CVE-2021-41773, was followed by PoC exploits that quickly appeared on the internet.
But as PoC exploits were developed and collaborated, another discovery came to light.
Attackers can abuse Apache servers running version 2.4.49 not only to read arbitrary files but also to execute arbitrary code on the servers.
Note that immediately, the Apache Software Foundation released the HTTP Web Server 2.4.51 update, after researchers discovered that a previous security update did not properly fix an exploit vulnerability.
* Dimitris Roussis is a member of the Information Systems Security Laboratory of the University of the Aegean.