What is Apache?
Apache, commonly known as the Apache HTTP Server, is an open-source web server software developed and maintained by the Apache Software Foundation. It plays a pivotal role in delivering web content to users' browsers. Apache efficiently processes and serves web pages, media files, and other online content operating on various platforms. It supports multiple programming languages, including PHP, Python, and Perl, making it a versatile choice for web development.
Apache's modular architecture allows for the addition of extensions and modules that enhance its functionality, such as SSL encryption, URL rewriting, and authentication mechanisms. Its robust security features and customization options have established it as one of the most widely used and trusted web servers globally, powering a substantial portion of websites on the internet.
Vulnerability
A vulnerability was discovered in Apache HTTP Server 2.4.49, involving a modification made to path normalization. This flaw allowed attackers to exploit a path traversal vulnerability, enabling them to associate URLs with files outside the directories designated by Alias-like directives. This exploit became particularly concerning when files outside these directories lacked the protection of the usual "require all denied" configuration, enabling unauthorized requests to succeed. The situation escalated if aliased paths enabled CGI scripts, potentially leading to remote code execution. Notably, real-world instances of this exploit exist.
It's important to emphasize that only Apache 2.4.49 was impacted, with earlier versions remaining unaffected—an attempt to address the issue with the release of Apache HTTP Server 2.4.50. However, subsequent analysis revealed that the fix did not fully address the vulnerability, as documented in CVE-2021-42013. This underscores the urgency of updating to secure versions and implementing strict configurations to mitigate the risks posed by this vulnerability.
How to Identify
To assess the potential vulnerability of your system to CVE-2021-42013, adhere to the subsequent steps:
Utilize the command-line tool apachectl to ascertain the Apache version running on your host machine. This tool offers administrators control over Apache httpd daemon functions. Execute apachectl with the appropriate options; the -v flag will unveil the Apache version. If the output reveals either Apache 2.4.49 or Apache 2.4.50, your system might be at risk.
apachectl -vExamine the configuration of the HTTP Server directory directive encompassing the entire server's file system. Verify the configuration as "Require all granted" or if the line is absent in the configuration file. Access the httpd.conf file, usually found at /usr/local/apache2/conf/. While perusing the configuration file, inspect the status of mods_cgi or mods_cgid by scrutinizing the httpd.conf contents as in the previous step. Confirm the presence of the line: "LoadModule cgid_module modules/mod_cgid.so".
Including "LoadModule cgid_module modules/mod_cgid.so" is necessary for potential arbitrary command execution. However, the system remains susceptible to directory traversal even while this line is absent if the "Require all granted" line is present.
Mitigation
Option 1: Patching
Update the apt repository with the command: apt update. If you lack root access, use "sudo apt update".
sudo apt updateInstall the latest Apache version: "sudo apt install apache2". When prompted, select 'y' to proceed with the package installation.
sudo apt install apache2
Option 2: Configuration File Changes
Open the configuration file using the vi command: vi /usr/local/apache2/conf/httpd.conf.
Enter edit mode by pressing 'i' and make necessary changes to the misconfigured lines.
For lines involving LoadModule cgid_module modules/mod_cgid.so and surrounding if module lines, add the '#' symbol at the beginning to comment out the lines. Commenting out the line prevents it from being processed.
Once edits are complete, exit edit mode by pressing 'Esc', then save and exit the file by typing ":wq" and pressing 'Enter'.