Organizations running Apache web servers are urged to implement the latest security update to fix a serious privilege escalation flaw (CVE-2019-0211) that can be triggered via scripts and could allow unprivileged web host users to execute code with root privileges, i.e. allow them to gain complete control of the machine.
Discovered by security researcher Charles Fol and dubbed Carpe Diem, the vulnerability affects only Apache HTTP Server on Unix systems.
“In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard,” the Apache Software Foundation shared.
Fol’s write-up goes into more detail but does not contain PoC exploit code. “The exploit will be disclosed at a later date,” he said, so admins have time to implement the security update (Apache httpd v2.4.39).
Mark Cox, one of the founders of the Apache Software Foundation, singled out the vulnerability in his call for a quick implementation of the update.
“[The flaw] allows anyone you allow to write a script (PHP, CGI,..) to gain root. Get 2.4.39 *now* especially if you have untrusted script authors or run shared hosting (or use mod_auth_digest, due to a separate flaw),” he advised.
That's one attack yes. It's also common to give unprivileged users the ability to write their own scripts (common in shared hosting, but also other environments) and this would allow them to get root.
— Mark J Cox (@iamamoose) April 2, 2019
While plugging this hole quickly is a must for web hosting providers, whose servers are usually shared by various users, all Apache admins should implement the update as soon as possible, as CVE-2019-0211 could be exploited in conjuction with other flaws to achieve root access.