by John E Dunn
The maintainers of one of the world’s most popular web servers, Apache HTTP Server, have patched a critical vulnerability that could give an attacker a way to gain full ‘root’ admin control on Unix-based systems.
Named ‘Carpe Diem’ by the researcher who discovered it, Ambionics engineer Charles Fol, techies might prefer to first read his account of what is now identified as CVE-2019-0211 rather than the notification on the Apache Software Foundation’s official site which is light on detail.
Assigned a CVSS vulnerability score of 8.8, the flaw affects Apache HTTP Server (‘Apache’ to its friends) versions 2.4.17 (9 October 2015) to 2.4.38 (1 April 2019), the official notification states:
With MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard.
Windows servers aren’t affected but a large number of mainly recent Linux distributions are caught up in the alert.
At heart, the flaw is an issue of privilege escalation triggered when Apache executes a graceful restart – jargon for allowing existing server threads to complete what they’re doing on a live website, which might happen once a day. (This also explains the ‘diem’ – day in Latin – part of the nickname Fol gave it.)
When restarting, Fol discovered an opportunity arises for a low-privilege process to elevate itself to root via a script, for example via PHP or CGI.
Who is affected?
Doing this requires having local access but that would be the case where Apache is being run in shared hosting environments, a routine way of packing large numbers of separate websites on to one server under a single IP address.
For an attacker, having local access would …
Author: John E Dunn