fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Actively Exploited Apache 0-day Also Allows Remote Code Execution

Actively Exploited Apache 0-day Also Allows Remote Code Execution

Proof-of-Concept (PoC) exploits for the Apache web server zero-day surfaced on the internet revealing that the vulnerability is far more critical than originally disclosed.

These exploits show that the scope of the vulnerability transcends path traversal, allowing attackers remote code execution (RCE) abilities.

Apache remains one of the most popular web servers of choice with over a 25% market share.

Also Read: What Is PDPA And What Are The 5 Things You Should Know About

From path traversal to remote code execution

The path traversal vulnerability in Apache’s HTTP server, first reported by BleepingComputer, has actively been exploited in the wild before the Apache project was notified of the flaw in September, or had a chance to patch it.

But yesterday’s disclosure of the Apache webserver path traversal flaw, tracked as CVE-2021-41773, was followed by PoC exploits swiftly surfacing on the internet.

But, while PoC exploits were being developed and tinkered with, another discovery came to light.

Attackers can abuse Apache servers running version 2.4.49 not only to read arbitrary files but also to execute arbitrary code on the servers.

Security researcher Hacker Fantastic noted that the flaw soon turns into a Remote Code Execution (RCE) vulnerability on a Linux system if the server is configured to support CGI via mod_cgi.

Also Read: The Competency Framework: A Guide for Managers and Staff

Should an attacker be able to upload a file via a path traversal exploit, and set execute permissions on the file, they have now granted themselves the ability to execute commands with the same privileges as the Apache process.

CERT’s vulnerability analyst Will Dormann and security researcher Tim Brown have also reported success with code execution on Windows machines.

While playing with the simple PoC on his Windows server, Dormann realized that accessing an EXE via the path traversal exploit in turn launched the binary on his server, as opposed to simply dumping the contents of the EXE.

“I was not doing anything clever other than just reproducing essentially the public PoC on Windows when I saw calc.exe spawn,” says Dormann, who additionally confirmed this behavior to BleepingComputer.

Dormann's tweet
Dormann saw the native Calculator app launch after testing Apache server PoC on Windows (Twitter)

“Was CVE-2021-41773 mis-scoped when it was published?” surmised Dormann, pointing to the note in Apache’s original advisory that exploitation of the flaw would, at most, leak the source code of scripts—rather than running the scripts.

Not all installations vulnerable

Although Shodan queries run by BleepingComputer show over 112,000 Apache servers are running the vulnerable 2.4.49 version, not all servers may be at risk.

The success of the path traversal exploits depends on a variety of factors, including if “mod-cgi” is enabled on the server, and the default “Require all denied” option is missing from the configuration.

Apache HTTP Server 2.4.49 deployments (Shodan)
Apache HTTP Server 2.4.49 deployments (Shodan)

But, should all of the items in the aforementioned criteria apply, there is high potential for the vulnerability to evolve into arbitrary code execution:

“Again, Apache needs to be the vulnerable 2.4.49 version, and mod-cgi is enabled, and it needs to be missing the default Require all denied. But if both of those are true, then CVE-2021-41773 is as RCE as it gets,” explains Dormann.

Server administrators should ensure their Apache HTTP server instances are running patched versions 2.4.50 and above.

Threat intel analyst Florian Roth has provided Sigma rules to help detect an active exploit for the zero-day.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us