Sophos Cloud Optix
The maintainers of one of the world’s most popular web servers, Apache HTTP Server, have patched a critical vulnerability that could give an attacker a way to gain full ‘root’ admin control on Unix-based systems.
Named ‘Carpe Diem’ by the researcher who discovered it, Ambionics engineer Charles Fol, techies might prefer to first read his account of what is now identified as CVE-2019-0211 rather than the notification on the Apache Software Foundation’s official site which is light on detail.
Assigned a CVSS vulnerability score of 8.8, the flaw affects Apache HTTP Server (‘Apache’ to its friends) versions 2.4.17 (9 October 2015) to 2.4.38 (1 April 2019), the official notification states:
With MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard.
Windows servers aren’t affected but a large number of mainly recent Linux distributions are caught up in the alert.
The vulnerability
At heart, the flaw is an issue of privilege escalation triggered when Apache executes a graceful restart – jargon for allowing existing server threads to complete what they’re doing on a live website, which might happen once a day. (This also explains the ‘diem’ – day in Latin – part of the nickname Fol gave it.)
When restarting, Fol discovered an opportunity arises for a low-privilege process to elevate itself to root via a script, for example via PHP or CGI.
Who is affected?
Doing this requires having local access but that would be the case where Apache is being run in shared hosting environments, a routine way of packing large numbers of separate websites on to one server under a single IP address.
For an attacker, having local access would simply mean paying a few dollars for a cheap web hosting account (or taking one over).
Anyone in this category should make applying version 2.4.39 an urgent priority: Tweeted Mark J. Cox of the Apache Software Foundation:
Flaw in Apache HTTP Server 2.4.17 - 2.4.38 allows anyone you allow to write a script (PHP, CGI,..) to gain root. Get 2.4.39 *now* especially if you have untrusted script authors or run shared hosting (or use mod_auth_digest, due to a separate flaw)https://t.co/s08XhOzKKW
— Mark J Cox (@iamamoose) April 2, 2019
One scenario is that the flaw could be used in conjunction with a second flaw such as a remote code exploit (RCE) in which CVE-2019-0211 is then used to elevate privileges. Cox responded to such a suggestion:
Flaw in Apache HTTP Server 2.4.17 - 2.4.38 allows anyone you allow to write a script (PHP, CGI,..) to gain root. Get 2.4.39 *now* especially if you have untrusted script authors or run shared hosting (or use mod_auth_digest, due to a separate flaw)https://t.co/s08XhOzKKW
— Mark J Cox (@iamamoose) April 2, 2019
Version 2.4.39 also patches five other less serious flaws: CVE-2019-0217, CVE-2019-0215, CVE-2019-0197, CVE-2019-0196, and CVE-2019-0220.
Naturally, Apache gets the same periodic security patches as any software, including one for the serious Optionsbleed flaw in 2017.
On a related theme in the same year, Equifax made another flaw in the Apache Struts add-on famous (CVE-2017-5638) after it was blamed for a huge data breach suffered by the company. In that incident, the company later admitted it had failed to apply a patch made available months before the attack.