A privilege escalation vulnerability of important severity in the Apache HTTP server allowing users with the right to write and run scripts to gain root on Unix systems was fixed in Apache httpd 2.4.39.
As detailed in the changelog, tracked as CVE-2019-0211, impacts all Apache HTTP Server releases from 2.4.17 to 2.4.38 and it makes it possible to execute arbitrary code via scoreboard manipulation.
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
Mark J. Cox, Apache Software Foundation and the OpenSSL project founding member, explained in a Twitter post that the CVE-2019-0211 security issue patched in httpd 2.4.39 is particularly serious when the web server is used for running shared hosting instances, and if some of the users with script writing permissions are untrusted.
Flaw in Apache HTTP Server 2.4.17 - 2.4.38 allows anyone you allow to write a script (PHP, CGI,..) to gain root. Get 2.4.39 *now* especially if you have untrusted script authors or run shared hosting (or use mod_auth_digest, due to a separate flaw) https://t.co/s08XhOzKKW
— Mark J Cox (@iamamoose) April 2, 2019
Especially dangerous in shared hosting environments
Also, as Cox further detailed, users with limited permissions on the server would be able to elevate their privileges using scripts making it possible to run commands on vulnerable Apache web servers as root.
That's one attack yes. It's also common to give unprivileged users the ability to write their own scripts (common in shared hosting, but also other environments) and this would allow them to get root.
— Mark J Cox (@iamamoose) April 2, 2019
Two other important severity control bypass security flaws were fixed in the Apache HTTP Server 2.4.39 release, with the one tracked as CVE-2019-0217 impacting all httpd releases from 2.4.0 to 2.4.38 and enabling users "with valid credentials to authenticate using another username, bypassing configured access control restrictions" because of "a race condition in mod_auth_digest when running in a threaded server."
The one tracked as CVE-2019-0215 affects Apache 2.4.37 and 2.4.38 installations, and it allows clients "client supporting Post-Handshake Authentication to bypass configured access control restrictions" due to "a bug in mod_ssl when using per-location client certificate verification with TLSv1.3."
Apache httpd 2.4.39 also patched three low severity vulnerabilities that could lead to crashes, read-after-free, and normalization inconsistency issues.
| CVE | Description |
| CVE-2019-0217 | important: mod_auth_digest access control bypass |
| CVE-2019-0215 | important: mod_ssl access control bypass |
| CVE-2019-0197 | low: mod_http2, possible crash on late upgrade |
| CVE-2019-0196 | low: mod_http2, read-after-free on a string compare |
| CVE-2019-0220 | low: Apache httpd URL normalization inconsistincy |
The vulnerability was reported by security engineer Carles Fol on February 22, with a response and a patch being provided by Apache on March 7.
Fol also provides an in-depth description of the CVE-2019-0211 local root privilege escalation vulnerability together with a detailed explanation on how this flaw could be exploited on his personal blog.
Apache Local Root: CVE-2019-0211: Vulnerability description. Exploit will come later.https://t.co/5ch5lSImx3
— Charles Fol (@cfreal_) April 3, 2019
Update April 03 10:34 EDT: Added a link to the in-depth description of the CVE-2019-0211 Apache Root Privilege Escalation vulnerability provided by Charles Fol, the security engineer who reported the flaw to Apache.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now