_{Source: Apache HTTP Server Project}

Militarized vulnerabilities lead to great risks

Not only has the total number of Apache HTTP Server vulnerabilities increased, but the number of weaponized vulnerabilities has also increased.

Trend Micro has detected that at least 15 of the 57 vulnerabilities discovered over the past five years were weaponized and used in malicious activity. The most common types of attacks include denial of service (DoS), path traversal, server-side request forgery (SSRF), and remote code execution (RCE). There is evidence that several vulnerabilities discovered in 2021 have been actively exploited.

Table 1: The 15 vulnerabilities weaponized since 2017

_{Source: Apache HTTP Server Project, Trend Micro Inc., NVD}

CVE-2021-41773 and CVE-2021-42013both critical vulnerabilities, are prime examples of how attackers exploit Apache HTTP Server vulnerabilities.

As Trend Micro reported, both of these vulnerabilities are path traversal vulnerabilities that allow attackers to map URLs to files/directories outside of the web root. In some configurations where Common Gateway Interface (CGI) scripts are enabled for these paths, attackers can reach RCE on the vulnerable server.

Both discovered at the beginning of October 2021, CVE-2021-41773 and CVE-2021-42013 were detected with over four million exploits by the end of 2021.

Another Apache HTTP Server vulnerability, CVE-2021-40438shows how big the impact can be when the vulnerability is exploited.

CVE-2021-40438 is a vulnerability existing in the mod_proxy module and subject to SSRF. This flaw allows an unauthenticated remote attacker to forward requests to the httpd server to an arbitrary server. The attacker could obtain, modify, or delete resources on other services that might be behind a firewall and otherwise inaccessible. The impact of this flaw varies depending on the services and resources available on the httpd network.

CVE-2021-40438 has a huge impact on products from Cisco, IBM QRadar SIEM, Debian Linux, F5 Os, Red Hat and more. On December 1, 2021, CISA added CVE-2021-40438 to its list of known exploited vulnerabilities.

The schemes behind the attacks

Attacks that target open source web servers could lead to huge threats. Once a web server vulnerability is exploited and hacked, the victim server can be taken over and used for malicious activity.

Common activities include using victim servers to send spam or launching attacks against other servers at the expense of the victim server’s memory and bandwidth. Attackers can also install a phishing website on the victim server to gain access to all data passing through it.

However, the most popular utility of attacks in recent years is cryptojacking: hackers exploit the vulnerability and covertly use the computing power of the victim server to mine popular cryptocurrencies. Trend Micro revealed how cyber actors used vulnerabilities and abuses in GitHub and Netlify repositories to exploit Monero.

For cybercriminals, Apache HTTP Server is always a favorite target: it serves 24.63% of the millions of most visited websites according to Netcraft statistics. Major web service providers such as Slack, Linkedin, The New York Times, GrubHub and many more rely on Apache HTTP Server. For IT professionals, it’s hard to fix such a vital service and not hurt user satisfaction.

Additionally, the complexity of the software supply chain exacerbates the abuse of open source software vulnerabilities today. Cyber ​​attackers could compromise software components from third-party vendors by stealthily inserting malicious code. Compared to the traditional supply chain, the software supply chain requires more levels of verification to ensure its security.

Protect your web server from potential damage

To mitigate the potential risk of open source software attacks, software composition analysis (SCA) has become an effective approach. SCA identifies and lists all parts and versions present in the code. It also checks each specific service and looks for outdated or vulnerable libraries that may pose security risks to the application. These tools can also check for legal issues related to using open source software with different license terms and conditions. Trend Micro released a white paper on how to prevent supply chain attacks in the age of cloud computing in October 2020.

Developing a risk-based approach to patch management can help organizations identify and prioritize the vulnerabilities they need to address now. This approach consists of:

1. Continuously conduct exposure assessments to determine which VECs – pass and present – are in your environment at all times.

2. Assess the criticality of those systems that contain those CVEs.

3. Conduct a continuous but simple survey risk assessment:

   1. Assess the likelihood that these identified CVEs are or will be exploited in the wild versus the impact of these CVEs being used in an attack.
      I. Is a POC available
      ii. Is it in the wild

If you are having difficulty with patch management, you can turn to virtual patches or IPS technology to help, as they can be deployed to detect/block exploits of a vulnerability and give you time to patch properly the vulnerability with the vendor’s patch. Trend Micro’s Bug Bounty Initiative Zero Day program and our vulnerability research teams help us identify new vulnerabilities and develop virtual fixes for our Cloud One, TippingPoint, Apex One, and Worry Free Services customers. In some cases, we have virtual patches months before the vendor patch.

Malicious actors will continue to exploit vulnerable apps, operating systems, and devices in their efforts to attack organizations. Improving your understanding of key applications like Apache can help you better understand where you can minimize your risk of attack.