Markwd 1 Posted September 28, 2022 Posted September 28, 2022 Hello, Just a quick (global) question: We have a webserver containing an instance of Apache Tomcat version 9 (not fully up-to-dat). The server also has ESET Server Security version 9 on it. Once in a while ESET Server Security detects an attempt to exploit HTTP/Exploit.CVE-2021-41773 on the Tomcat.exe process. The exploit is bound to a vulnerability in Apache HTTPD instead of Tomcat. Would that be an attempt of the attacker to try if the webserver accidentally has a vulnerable httpd version on it, what is triggering ESET to detect the exploit attempt? Could it be a FP, because Tomcat.exe is not vulnerable to this exploit, or could something else be the reason ESS is triggered? Thanks!
Solution Nevermind 8 Posted September 30, 2022 Solution Posted September 30, 2022 Hey Markwd, thats a network detection only (ie its neither a file nor memory detection). The way I see it someone tries whether your server is vulnerable to this exploit. If you have logging enabled you can check if there are any requests similar to this: hxxp://<your_server>/cgi-bin/.%2e/%2e%2e/%2e%2e.... (src: https://github.com/thehackersbrain/CVE-2021-41773/blob/main/exploit.py) ESET doesnt check whether you are actually running a vulnerable software or not. It sees an exploit attempt -> it displays a detection window.
Recommended Posts