November Vuln of the Month: CVE-2021-42013 

November’s Vuln of the Month is CVE-2021-42013 could leave some organizations running Apache HTTP Server 2.4.49 and Apache 2.4.50 open to a path traversal attack. Successful exploits can result in remote code execution (RCE) of malicious code. 

CVE-2021-42013 impacts organizations enabling Common Gateway Interface (CGI) scripts for aliased paths operating on two versions of Apache HTTP Server. Our research shows CVE-2021-42013 meets many of the criteria we look for to be exploited, including:

• Access complexity: Low 
• Potential attack surface: Limited 
• Exploitable remotely: Yes 
• Authentication/privilege requirements: None 
• Potential impact on availability: Partial 
• Exploit code published: No 
• Active exploits observed: Yes

The Kenna Risk Score for CVE-2021-42013 is 100, the highest possible score a vulnerability can earn within Kenna’s sophisticated, data science-driven scoring system. Of the more than 156,000 CVEs scored by Kenna, just 0.18% have earned a score this high. In a rare instance of near-parity among scoring systems, CVSS 3.1 gives this CVE a 9.8 or “Critical” rating. Organizations still relying on CVSS 2.0 will find this vulnerability earns only a “High” score of 7.5—which belies its criticality for enterprises running the two vulnerable versions of Apache. (Sill using CVSS? We recommend immediately looking into switching out simple vulnerability scores for true risk scores.) 

Why CVE-2021-42013 matters

CVE-2021-42013 has an unusual provenance—and one revealing how things don’t always go according to plan. The vulnerability itself has its roots in CVE-2021-41773, which was published on Oct. 5 and described this same path traversal attack vuln. But a fix was issued to address the vulnerability proved insufficient in remediating the vuln in Apache 2.4.50, one of the two versions of Apache HTTP Server affected. So two days later, CVE-2021-42013 was born into the National Vulnerability Database (NVD).  

This CVE matters because Apache HTTP Server is popular, and running CGI scripts is also popular. Using this path traversal attack, an attacker could map URLs to files outside the directories configured with alias-like directives. If these files aren’t protected by the standard “require all denied” default configuration, the attack could succeed, and any enabled CGI scripts could be leveraged to execute code remotely. Exploits have been observed, so this is a proven threat. 

Kudos to the Apache open source community for jumping on this. The problem with the initial patch was reported to the Apache security team on Oct. 6, and fixes were developed and released the following day in Apache HTTP Server 2.4.51. 

Bottom line

If you’re running Apache HTTP Server 2.4.49 or Apache 2.4.50, update your servers to Apache HTTP Server 2.4.51 as soon as you can, especially if you’re running CGI scripts. This is an extremely high-risk vulnerability that’s easily exploited for affected organizations, requires no authentication, and has been successfully exploited already.  

Mitigation status for CVE-2021-42013

On Oct. 7, the Apache Software Foundation made Apache HTTP Server 2.4.51 available on its website. This new version includes fixes for CVE-2021-42013. 

Learn how to predict the next big exploit

Serious vulnerabilities don’t have to score a perfect 100 to pose significant, even potentially catastrophic risk to your enterprise. Take a moment to watch How to Predict the Next Big Exploit, the latest webinar from Kenna Security hosted by Michael Roytman, Kenna’s chief data scientist, and yours truly. In this webinar, we describe what it takes to create your own exploit prediction strategy, and how the dark art of exploit prediction isn’t as unattainable as you might think. 

Watch this space for regular Vuln of the Month spotlights, which appear on Exploit Wednesday, the day following Microsoft’s monthly Patch Tuesday patch release. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.