Trending CVEs for the Week of April 8th, 2019
CVE-2019-0211 – Carpe Diem – Apache Local Privilege Escalation Vulnerability
This week’s trending vulnerability is CVE-2019-0211, a local privilege escalation vulnerability in Apache HTTP Server. Apache is one of the most popular web servers and touts being the world’s largest open source foundation. The vulnerability was made public by Apache on April 1st, when it was patched in Apache httpd 2.4.39.
The vulnerability allows users with the right to write and run scripts to gain root on Unix systems. It affects all Apache HTTP Server releases from 2.4.17 (October, 2015) to 2.4.38 (April, 2019) and makes it possible to execute arbitrary code via scoreboard manipulation. The vulnerability is triggered when Apache gracefully restarts. In standard Linux configurations, this happens once a day. The issue was discovered by Charles Fol, a security engineer at Ambionics, who also provided a detailed description of the bug and how it could be exploited. He named the vulnerability Carpe Diem with the following explanation: CARPE stands for CVE-2019-0211 Apache Root Privilege Escalation, DIEM since the exploit triggers once a day.
According to Fol’s post, the vulnerability may be summarized as follows:
- In MPM prefork, the main server process, running as root, manages of pool of single-threaded, low-privilege worker processes, meant to handle HTTP requests. Apache maintains a shared-memory area, scoreboard, which contains various information such as the workers’ PIDs and the last request they handled. Each worker has a full read/write access to the shared-memory area.
- In standard Linux configurations, Apache gracefully restarts once a day, at 6:25 AM, in order to reset log file handles. When this happens, the main process kills old workers and replaces them with new ones. At this point, every old worker’s bucket value will be used by the main process to access an array of buckets.
- No bound checks happen. Therefore, a rogue worker can change its bucket index and make it point to the shared memory. Eventually, this can result in an arbitrary function call as root.
The vulnerability affects Apache web server releases for Unix systems only.
Apache HTTP Server versions 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, and 2.4.17 are vulnerable.
Exploitation and Risk
While exploiting this vulnerability requires having local access, the vulnerability could be especially dangerous when Apache is being run in shared hosting environments, and if some of the users with script writing permissions are untrusted. Shared hosting environments are a routine way of packing a large number of separate websites onto one server under a single IP address.
Another scenario in which the flaw could be very serious is when it is used to escalate privileges together with a separate flaw that involves remote code execution (RCE).
Proof of Concept exploit code due to the researcher who discovered the flaw is available in GitHub.
Share your thoughts in our community!