Trending CVEs for the Week of April 8th, 2019
- Apr 10, 2019
- Shawn Evans
This week’s trending vulnerability is CVE-2019-0211, a local privilege escalation vulnerability in Apache HTTP Server. Apache is one of the most popular web servers and touts being the world’s largest open source foundation. The vulnerability was made public by Apache on April 1st, when it was patched in Apache httpd 2.4.39.
The vulnerability allows users with the right to write and run scripts to gain root on Unix systems. It affects all Apache HTTP Server releases from 2.4.17 (October, 2015) to 2.4.38 (April, 2019) and makes it possible to execute arbitrary code via scoreboard manipulation. The vulnerability is triggered when Apache gracefully restarts. In standard Linux configurations, this happens once a day. The issue was discovered by Charles Fol, a security engineer at Ambionics, who also provided a detailed description of the bug and how it could be exploited. He named the vulnerability Carpe Diem with the following explanation: CARPE stands for CVE-2019-0211 Apache Root Privilege Escalation, DIEM since the exploit triggers once a day.
According to Fol’s post, the vulnerability may be summarized as follows:
The vulnerability affects Apache web server releases for Unix systems only.
Apache HTTP Server versions 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, and 2.4.17 are vulnerable.
While exploiting this vulnerability requires having local access, the vulnerability could be especially dangerous when Apache is being run in shared hosting environments, and if some of the users with script writing permissions are untrusted. Shared hosting environments are a routine way of packing a large number of separate websites onto one server under a single IP address.
Another scenario in which the flaw could be very serious is when it is used to escalate privileges together with a separate flaw that involves remote code execution (RCE).
Proof of Concept exploit code due to the researcher who discovered the flaw is available in GitHub.
Share your thoughts in our community!