Two critical flaws were discovered in Apache’s HTTP web server, HTTPD. Threat actors could potentially take advantage of these vulnerabilities to trigger denial of service (DoS) or bypass security policies.
- CVE-2021-44790 (CVSS 9.8): Could lead to a buffer overflow when parsing multipart content in
mod_luaand may enable “a remote attacker to take control of an affected system,” according to CISA. No authentication is required to exploit the vulnerability remotely, although there is no exploit available as of this writing.
- CVE-2021-44224 (CVSS 8.2): May result in NULL dereference or Server Side Request Forgery (SSRF) in forward proxy configurations
Both vulnerabilities impact Apache HTTP Server 2.4.51 and earlier.
How Does This Compare To Log4j?
Although the HTTPD vulnerabilities are unrelated to the recent Log4Shell, they all originate from Apache products.
Like Log4j, HTTPD is ubiquitous. Besides Nginx, it is the world’s second most widely-used server, with over 3 million public devices on Shodan that currently run HTTPD. This means that these vulnerabilities could potentially be as far-reaching as Log4j.
CVE-2021-44790 includes all versions of Apache up to 2.4.51; if
mod_lua is used, it heavily expands the potential attack surface. Unlike Log4j, this was not a situation where the POC exploit was dropped at the same time as the news of its vulnerability. At this point there is no evidence that either CVEs have been exploited in the wild. However, now that patches have been released, it’s only a matter of time until the exploit has been built.
How Bad is This?
Although there are no exploits available yet, threat actors will likely move quickly to develop a weaponized attack due to the potential reach of these CVEs. CVE-2021-44790 has significant impact potential, but does require
mod_lua to be utilized. The Lua module for Apache is only supported by version 2.3 and up, so those running lower versions are not at risk.
CVE-2021-44224 has the potential for interaction with unix sockets on hosts using SSRF. However, it requires forward proxy functionality to be in use. If you do not have ProxyRequests or ProxyVia defined in your HTTPD configurations, you are likely not at risk.
There have been a number of other CVEs this year for Apache HTTPD, such as CVE-2021-41773 from October for directory traversal. In general, this should be a reminder to keep your Apache HTTPD up-to-date and be aware as to what modules and configurations are being used. This will significantly enhance your internal security efforts.
“Historically we have seen breaches around national holidays because criminals know that security operations centers are often short-staffed, delaying the discovery of intrusions,” reads a White House statement released on December 16.
What Should I Do?
Organizations using Apache HTTPD should immediately update to version 2.4.52.
How To Detect
There are no exploits available at this point. However as exploits are derived for these CVEs, we will update detection methods. Inherently due to unix socket utilization for CVE-2021-44224, monitoring socket usage with Osquery or similar tooling will provide enhanced visibility into the usage of your environments.