Trend Micro : Recent Cyberattacks Target Open-source Web Servers

_{Source: Apache HTTP Server Project}

Weaponized vulnerabilities lead to great risk

Not only has the number of total Apache HTTP Server vulnerabilities gone up, but so has the number of weaponized vulnerabilities.

Trend Micro detected that at least 15 of the 57 vulnerabilities found in the past five years were weaponized and used in malicious activities. The most common types of attack include denial of service (DoS), path traversal, server-side request forgery (SSRF), and remote code execution (RCE). Multiple vulnerabilities found in 2021 are proven to have been actively exploited.

Table 1: The 15 vulnerabilities weaponized since 2017

CVE ID	cvss3 score	Description
CVE-2021-42013	9.8	Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
CVE-2021-41773	7.5	Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
CVE-2021-40438	9	mod_proxy SSRF
CVE-2020-11984	9.8	mod_proxy_uwsgi buffer overflow
CVE-2019-10098	6.1	mod_rewrite potential open redirect
CVE-2019-10097	7.2	CVE-2019-10097 mod_remoteip Stack buffer overflow and NULL pointer dereference
CVE-2019-0190	7.5	mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
CVE-2018-8011	7.5	mod_md, DoS via Coredumps on specially crafted requests
CVE-2018-1303	7.5	Possible out of bound read in mod_cache_socache
CVE-2018-11763	5.9	DoS for HTTP/2 connections by continuous SETTINGS
CVE-2017-9798	7.5	Use-after-free when using with an unrecognized method in .htaccess ("OptionsBleed")
CVE-2017-9788	9.1	Uninitialized memory reflection in mod_auth_digest
CVE-2017-7668	9.8	ap_find_token() Buffer Overread
CVE-2017-7659	7.5	mod_http2 Null Pointer Dereference
CVE-2017-15715	8.1	bypass with a trailing newline in the file name

_{Source: Apache HTTP Server Project, Trend Micro Inc., NVD}

CVE-2021-41773 and CVE-2021-42013, the two critical vulnerabilities, are perfect examples of how attackers exploit the vulnerabilities in the Apache HTTP Server.

As Trend Micro reported, these two are path traversal vulnerabilities that allow attackers to map URLs to files/directories outside of the webroot. In certain configurations where Common Gateway Interface (CGI) scripts are enabled for these paths, attackers can achieve RCE on the vulnerable server.

Both discovered in early October 2021, CVE-2021-41773 and CVE-2021-42013 were detected with more than four million exploits by the end of 2021.

Another Apache HTTP Server vulnerability, CVE-2021-40438, shows how great the impact can be when the vulnerability gets exploited.

CVE-2021-40438 is a vulnerability existing in the mod_proxy module and prone to SSRF. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network.

CVE-2021-40438 has a huge impact on products from Cisco, IBM QRadar SIEM, Debian Linux, F5 Os, Red Hat and more. On December 1, 2021, CISA added CVE-2021-40438 to its list of known exploited vulnerabilities.

Schemes behind the attacks

The attacks that target open-source web servers could lead to enormous threats. Once any web server vulnerability gets exploited and hacked, the victim server can be taken over and used for malicious activities.

The most common activities include using victim servers to send out spam mail or launching attacks against other servers at the cost of the victim server's memory and bandwidth. Attackers can also install a phishing website on the victim server to gain access to any data that passes through it.

However, the most popular utility of attacks in recent years is cryptojacking: hackers exploit the vulnerability and secretly use the victim server's computing power to mine popular cryptocurrencies. Trend Micro revealed how cyber actors used the vulnerabilities and abuse of GitHub and Netlify repositories to mine Monero.

For cybercriminals, Apache HTTP Server is always a favorite target: It serves 24.63% of the million busiest websites according to Netcraft stats. Major web service providers such as Slack, Linkedin, The New York Times, GrubHub, and more rely on Apache HTTP Server. For IT professionals, it's challenging to patch such a vital service and not to harm user satisfaction.

Furthermore, the complexity of the software supply chain nowadays exacerbates the abuse of open-source software vulnerabilities. Cyber attackers could compromise software components of third-party suppliers by inserting malicious code inconspicuously. Compared to the traditional supply chain, the software supply chain requires more layers of verification to ensure its security.

Protect your web server against potential harm

To mitigate the potential risk of attacks from open-source software, software composition analysis (SCA) has become an effective approach. SCA identifies and lists all the parts and versions present in the code. It also checks each specific service and looks for outdated or vulnerable libraries that may pose security risks to the application. These tools can also check for legal issues regarding the use of open-source software with different licensing terms and conditions. Trend Micro published a whitepaper on how to prevent supply chain attacks in the age of cloud computing in 2020 October.

Developing a risk-based approach to patch management can help organizations identify and prioritize which vulnerabilities they need to deal with now. This approach consists of:

1. Continuously conducting exposure assessments to determine what CVEs - past and present - are in your environment at all times.
2. Assessing the criticality of those systems that contain those CVEs.
3. Conducting a continuous but simple risk assessment:
   1. Assessing the likelihood that those identified CVEs are or will be exploited in the wild against the impact of those CVEs used in an attack.
      i. Is a POC available
      ii. Is it in the wild

If you struggle with patch management, you may look at virtual patching or IPS technology to help as these can be deployed to detect/block exploits of a vulnerability and allow you time to properly patch the vulnerability with the vendor's patch. Trend Micro's Zero Day Initiative bug bounty program and our vulnerability research teams help us identify new vulnerabilities and develop virtual patches for our Cloud One, TippingPoint, Apex One, and Worry Free Services customers. In some cases, we have virtual patches out months ahead of the vendor patch.

Malicious actors will continue to exploit vulnerable applications, operating systems, and devices in their efforts to attack organizations. Improving your understanding of key applications like Apache can help you better understand where you can minimize your risk of attack.