Emerging Threathightest

CVE-2021-41773 Exploitation Attempt

Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

daffainfo, Florian Roth (Nextron Systems)Created Tue Oct 05Updated Mon Jan 023007fec6-e761-4319-91af-e32e20ac43f52021

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Web Server Log

CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic

detection:
    selection:
        cs-uri-query|contains:
            - '/cgi-bin/.%2e/'
            - '/icons/.%2e/'
            - '/cgi-bin/.%%32%65/'
            - '/icons/.%%32%65/'
            - '/cgi-bin/.%%%25%33'
            - '/icons/.%%%25%33'
        sc-status:
            - 200
            - 301
    condition: selection