On September 29, 2021, Apache’s security team learned of a zero-day vulnerability (CVE 2021-41773) that attackers were exploiting to compromise Apache HTTP web servers and access sensitive files. They recommend that anyone using Apache servers 2.4.49 or 2.4.50 Linux and Windows-based servers to update to the latest version, 2.4.51, using the instructions found on the official Apache HTTP Server project site. This new version patches both the initial vulnerability in version 2.4.49 and the incomplete fix in version 2.4.50.
The good news is Azion’s Web Application Firewall already protects against this zero-day attack when the Remote File Inclusions (RFI) and Directory Traversal rule sets are enabled. Generally, we recommend that all customers set WAF rule set sensitivities to the “Highest” option in order to prevent the latest variations of attacks and even zero-day attacks.
What Is the Apache HTTP Server Exploit?
Apache HTTP Server 2.4.49 featured a change made to path normalization that enables path traversal attacks, which let attackers access files and directories stored outside the web root folder. As a result, attackers can access directories containing files like CGI scripts or even take over the server completely via remote code execution.
- Path Traversal: an attack technique that aims to access files and directories stored outside the web root folder by manipulating variables that reference files with “../” sequences or by using absolute file paths. The goal of threat actors here would be to access arbitrary files and directories in the files system including application source code or configuration and critical system files.
- Remote code execution: an attack where a threat actor gains illegal, and often administrative access to a system, with the aim to take over the system and run undesired code on a vulnerable server.
How Can Security Teams Protect Against The Latest Vulnerabilities?
It’s good practice to update components with a patch or upgrade when one becomes available to prevent attackers from exploiting known vulnerabilities, but mitigating zero-day attacks requires proactive detection methods that many security products do not provide.
Azion’s WAF protects against zero-day attacks with a rules-based approach that is not only more secure than signature-based methods, but more performant. Rather than scanning thousands of signatures with known attack components (a time- and resource-consumptive process), our WAF uses algorithms to analyze the syntax of numerous attack patterns and condense them into lean, intelligent rule sets, enabled when our users enable the Directory Traversal option (“path traversal” and “directory traversal” are synonymous and used interchangeably in the field). When those rules are met for a specific request, it is assigned a score. In the case of attacks attempting to exploit CVE 2021-41773, strings such as the following would all increase a requests score:
Any request that scores above a certain threshold, which users can adjust for their desired sensitivity, will be automatically blocked. This enables our WAF to proactively block variations on existing attack patterns - and even new threats - before they have been acknowledged by the threat research community, enabling protection against zero-day attacks like the most recently discovered Apache HTTP server exploit.
For additional methods to safeguard important applications, look no further than your trusty OWASP Top 10 list. For example, DevSecOps should continuously focus on taking steps to prevent Broken Access Control. Enforcing proper access control with policies ensures users cannot act outside their intended permissions, and applies to all web application components: web servers, file systems, API endpoints, etc. In the case CVE-2021-41773, setting folders and scripts (including CGI scripts) outside the web root properly to "require all denied" could drastically reduce the likelihood of attackers successfully exploiting the vulnerability. Azion WAF is also one of the very few programmable WAFs, enabling developers to write modern, serverless functions that could, for example, add additional authentication using JWT tokens to secure unprotected APIs.
Additionally, Azion offers Origin Shield, allowing developers to hide vulnerable components (e.g. Apache HTTP web servers) from would-be attackers completely. Origin Shield creates a security perimeter for your origin infrastructure, be it a cloud, hosting provider, or even your own data center. It works by preventing attackers from directly targeting the origin and forces traffic to go through Azion’s massive distributed edge network, with multi-layered security built-in to protect against a wide array of network and application-layer attacks from both established and evolving threats.
Lastly, Azion’s Data Streaming and Real Time Metrics enable our customers to see and visualize attacks such as CVE-2021-41773 mitigated in real-time, helping customers ensure they have done their part to prevent security logging and monitoring failures.
Security incidents like this underscore the importance of choosing a security solution that can protect against zero-day attacks. With Azion's WAF, customers can secure vulnerable application components, whether the components were written in-house, contain or are based on open source/third-party libraries. In addition to WAF, Azion offers a full edge computing platform with multi-layered security available via Azion Edge Firewall.