Bitsight Apache Risk Analysis Highlights Need To Address CISA “Known Vulnerabilities”

Today, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries. 

This directive includes an update to CISA's catalog of “known exploited vulnerabilities,” part of an ongoing effort encourage organizations to reduce risk within their attack surface. Bitsight is proud to partner with CISA on these critical efforts.

In the past few weeks, Bitsight has conducted research on two of the vulnerabilities in the CISA list: CVE-2021-41773 and CVE-2021-42013. These vulnerabilities were introduced via a recent Apache Server update and highlight the importance of an effective software update and patch management strategy as well as the need for third-party risk management.

What happened, exactly?

In September, the Apache HTTP Server Project released Apache HTTP Server version 2.4.49, which included a number of security improvements, feature updates, and bug fixes. However, the update also inadvertently introduced a critical path traversal vulnerability.

Tracked as CVE-2021-41773, the vulnerability is the result of a bug in how Apache Server converts between different URL path schemes known as URL Normalization. CVE-2021-41773 makes it possible for threat actors to download files directly from the server and, under certain conditions, execute remote commands. 

Apache issued a fix for CVE-2021-41773 in early October (Apache HTTP Server 2.4.50). However, it was found to be insufficient, because an attacker could perform the same attack using a different path encoding that was not foreseen in the mitigation of the first CVE. This vulnerability is being tracked as CVE-2021-42013. Apache has since issued a fix for this vulnerability (Apache HTTP Server 2.4.51).

What Bitsight Observes

After performing a high confidence check, Bitsight is able to confirm a small presence of both CVE-2021-41773 and CVE-2021-42013 affecting unique mapped entities. The highest number of vulnerable entities were in the Education, Media/Entertainment, and Technology sectors. However, we found vulnerabilities across all observed sectors. 

The data presented above is based on a confirmation of the vulnerability, not simply based on the advertised version banner from the Web server. If we look more broadly for Apache servers that advertise their version (and are running versions 2.4.49 and 2.4.50), the total number of potentially vulnerable systems at the time of writing is approximately 41,000. 

However, this does not account for servers that hide their version banner, as well as other applications and services built on top of Apache. Our high confidence check is accomplished by using the vulnerability to attempt to read a known existing file on the public Web tree.

Due to the multitude of ways that this vulnerability can present itself (and the configuration of each Web server), this data should be considered a floor on the total number of vulnerable systems on the Internet.

What you should do

There are three immediate steps that security and risk professionals should take to address the Apache vulnerability.

First, if you are an Apache Server user, remediate the vulnerability on your servers by installing Apache HTTP Server 2.4.51. Second, assess third-party risk associated with this vulnerability using a tool such as Bitsight for Third-Party Risk Management to identify the presence of the vulnerability within your third party business partners and supply chain. Finally, engage third parties in conversation about addressing the Apache vulnerability on their servers. Third-party risk assessment tools like Bitsight’s can help facilitate these conversations.

Security and risk professionals should also consider the following programmatic changes to reduce the likelihood of a future incident:

• As attack surfaces continue to expand (e.g., remote, mobile, IoT), visibility into your organization’s risk, as well as third-party risk, is critical. Deploying tools that offer this level of visibility and deliver actionable insight can guide your risk reduction efforts.
   
• Implementing an effective strategy for software updates and patching is essential. Updating systems to reflect the latest release may introduce new risk into your environment. Many organizations choose to wait 30-60 days to deploy updates to avoid introducing bugs associated with new software releases. 
   
• Deploying a patch management tool or backup solution that enables you to easily revert to a point in time before a software update can also be beneficial. This ensures that you can quickly restore normal operations if an update or patch creates an issue in your environment. 
   
• Establishing a test environment may help you identify issues before they go into production.

Andrew Burton, Luis Grangeia, and Maham Haroon (a-z) contributed to this article.