The Apache web server is one of the most popular, widely used open-source web servers in the world that powers almost 40 percent of the whole Internet.
The vulnerability, identified as CVE-2019-0211, was discovered by Charles Fol, a security engineer at Ambionics Security firm, and patched by the Apache developers in the latest version 2.4.39 of its software released today.
The flaw affects Apache HTTP Server versions 2.4.17 through 2.4.38 and could allow any less-privileged user to execute arbitrary code with root privileges on the targeted server.
"In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected," the advisory says.
Though the researcher has not yet released a working Proof-of-Concept (PoC) exploit code for this flaw, Charles today published a blog post explaining how an attacker can exploit this flaw in 4 before mentioned steps:
- Obtain R/W access on a worker process,
- Write a fake prefork_child_bucket structure in the SHM,
- Make all_buckets[bucket] point to the structure,
- Await 6:25AM to get an arbitrary function call.
According to Cox, the vulnerability is more concerning for shared web hosting services, where malicious customers or a hacker with ability to execute PHP or CGI scripts on a website can make use of the flaw to gain root access on the server, eventually compromising all other websites hosted on the same server.
Besides this, the latest Apache httpd 2.4.39 version also patches three low and two other important severity issues.
The second important flaw (CVE-2019-0217) could allow "a user with valid credentials to authenticate using another username, bypassing configured access control restrictions."
The third vulnerability is a mod_ssl access control bypass (CVE-2019-0215), "a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions."
We have seen how previous disclosures of severe flaws in web application frameworks have resulted in PoC exploits being published within a day and exploitation in the wild, putting critical infrastructure as well as customers' data at risk.
Therefore, web hosting services, organizations managing their own servers and website administrators are strongly advised to upgrade their Apache HTTP instances to the latest versions as soon as possible.