CVE-2019-0211: Patched Apache HTTP Server Root Privilege Escalation Flaw, A Priority for Web Hosting Providers

A potentially serious escalation of privilege vulnerability (designated as CVE-2019-0211) in the open-source cross-platform web server software Apache has been patched. The flaw allows a “worker” process to change its privileges when the host server resets itself, which can consequently allow anyone with a local account to run commands with root clearance. Essentially, rogue server scripts can execute arbitrary code with root privileges via scoreboard manipulation and allow an attacker to gain complete control of a target machine.

Discovered by researcher Charles Fol from Ambionics, the bug — an elevation of privilege vulnerability — is a local vulnerability that is particularly serious for web servers used in shared hosting environments. The vulnerability is triggered during the restart process, where worker modules are shut down and restarted. That window period allows the elevation of privilege to take place.

Given that HTTP servers are used for web hosting, multiple users can have guest accounts on each machine. This means that an attacker can either sign up for an account to have a site hosted on a target server or compromise existing accounts. Successfully exploiting the vulnerability would provide an attacker with full access to a server, as if one’s a web host. This includes the ability to read, write, or delete any file or database of other clients. Interestingly, non-shared Apache servers can also be affected, since an attacker uploading a CGI script would gain automatic root access, as a result of CVE-2019-0211.

Addressing CVE-2019-0211 for server infrastructure security

According to Fol, tests yielded an 80% success rate, which could even be hiked up to 100% if worker processes are raised and attacks are retried whenever restart process runs. The researcher has already disclosed the PoC exploit code, so admins should prioritize implementing the security update now.

This vulnerability affects Apache web server releases for Unix systems, from version 2.4.17 (Oct. 9, 2015) to version 2.4.38 (Apr. 1, 2019). System administrators can patch the flaw by updating their servers to Apache httpd version 2.4.39. Developers, programmers, and system admins that use Apache should also employ the principle of least privilege to prevent threats that may exploit related vulnerabilities.

Updated as of April 12, 2019 01:29 PDT to include detail about the PoC exploit release.