Getty Images/iStockphoto

Apache HTTP Server vulnerability under active attack

Security experts are urging administrators to update their installations of Apache HTTP Server following the disclosure of a zero-day vulnerability that had been under attack.

Companies operating Apache HTTP Server installations are urged to update their software following the disclosure of a vulnerability that can potentially enable remote code execution.

Potentially tens of thousands of web servers are vulnerable to attacks on CVE-2021-41773, a vulnerability that the Apache Foundation said was already under active exploit earlier this week when it was first disclosed and patched.

Officially listed as path traversal bug that gives attackers the ability to see file locations without permission, the bug has since been confirmed by multiple researchers to enable remote code execution. This could give threat actors complete control of the server.

Ash Daulton of the cPanel Security Team was credited with discovering and reporting the flaw to Apache.

The vulnerability can be closed by updating Apache HTTP Server to version 2.4.50. A second flaw, CVE-2021-41524, was also fixed. That vulnerability, a denial of service bug caused by a null pointer referenced, was not believed to be under active exploit.

The Cybersecurity & Infrastructure Security Agency issued an advisory Wednesday urging organizations to patch both vulnerabilities and warned that CVE-2021-41773 was under active exploitation.

It is not known just how many attacks took place before the bug was first reported. However, groups who monitor for attacks say that since the bulletin went live, attackers have seized on the flaw by scanning for vulnerable servers and attempting exploits.

Troy Mursch, chief research officer with Bad Packets, told SearchSecurity that his company's monitoring network picked up a sharp increase in activity against the flaw beginning on Tuesday evening as word of the bug's exploit potential spread.

"Additionally, we've seen activity from a host in Russia checking for remote code execution [RCE] via the "/bin/sh" path," Mursch explained.

"This is important to note as the disclosure for CVE-2021-41773 did not clearly state the vulnerability can lead to RCE -- which makes it far more critical and important to patch immediately," he said.

While the patch is available, making the time to take down and update a vital service like the Apache HTTP Server could be difficult for many companies seeking to avoid downtime. This could leave numerous internet-facing servers vulnerable to attack as administrators wait for the best time to install the fixes.

It has not been an easy few weeks to be a server administrator, particularly on the security front. In late September, Microsoft was forced to go out of band with the release of a mitigation tool for an actively-exploited vulnerability in Exchange Server. Meanwhile, the notorious Nobelium hacking crew was spotted wielding a sophisticated new backdoor malware against Active Directory Federation Services servers.

Dig Deeper on Threats and vulnerabilities