On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 and 2.4.50. The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild. Note that a non-default configuration is required for exploitability.
Roughly 65,000 potentially vulnerable versions of Apache httpd exposed to the public internet. The exposure estimate intentionally does not count multiple Apache servers on the same IP as different instances (this would substantially increase the number of exposed instances identified as vulnerable)
For the organizations who are using the vulnerable version of apache should update to latest version or Apache 2.4.51 as soon as practical.
Most of the time upgrading immediately to the latest version of apache is not practically feasible task for organizations as they have to look for all the dependencies. For them they can make changes into apache configurations to protect against the exploitation.
The server’s configuration file should be updated to include the filesystem directory directive with require all denied:
< Directory />
Require all denied
Another best strategical alternative to defend against these attacks at the same time understand about the attacker’s patterns and behavior is the deception technology. An intelligent Deception can help you achieve the zero false positives.
Whenever any new Zero Day made public or CVE is published the active threat actors are the first in the race of cyberspace to make a move. They actively look for all the vulnerable Apps, IPs for the latest vulnerability.
Easy step to detect this attack and collect the personalized threat feeds is spin Apache Decoy leveraging Dejavu Deception and allow this internet facing to collect the IOCs constantly.
Once the attacker’s IP are collected on deception, we block immediately on production environment which can be done leveraging Shuffle SOAR.
“This what we achieve by integrating open source point solutions Dejavu (Open Source Deception) used to create Apache Decoy further Deception Logs are parsed to -> Wazuh (Open Source SIEM) use webhook to bring logs to -> Shuffle (Open Source SOAR) share the personalized threat intelligence to -> MISP and further Block the IOC in Network Firewall. “
We need to follow the same as scenario one just keeps the multiple vulnerable apache decoys available to private network to detect and respond to internal attacks.