Patched Apache flaw is a serious threat for web hosting providers

Organizations running Apache web servers are urged to implement the latest security update to fix a serious privilege escalation flaw (CVE-2019-0211) that can be triggered via scripts and could allow unprivileged web host users to execute code with root privileges, i.e. allow them to gain complete control of the machine.

Patched Apache flaw is a serious threat for web hosting providers
Courtesy:  Zeljka Zorz | News Source:

About CVE-2019-0211

Discovered by security researcher Charles Fol and dubbed Carpe Diem, the vulnerability affects only Apache HTTP Server on Unix systems.

“In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard,” the Apache Software Foundation shared.

Fol’s write-up goes into more detail but does not contain PoC exploit code. “The exploit will be disclosed at a later date,” he said, so admins have time to implement the security update (Apache httpd v2.4.39).

Mark Cox, one of the founders of the Apache Software Foundation, singled out the vulnerability in his call for a quick implementation of the update.

“[The flaw] allows anyone you allow to write a script (PHP, CGI,..) to gain root. Get 2.4.39 *now* especially if you have untrusted script authors or run shared hosting (or use mod_auth_digest, due to a separate flaw),” he advised.

Does it mean that if an attacker obtain an RCE on an apache server as www-data, it can elevate his privileges to root, or am i misunderstanding ?


That's one attack yes. It's also common to give unprivileged users the ability to write their own scripts (common in shared hosting, but also other environments) and this would allow them to get root.

While plugging this hole quickly is a must for web hosting providers, whose servers are usually shared by various users, all Apache admins should implement the update as soon as possible, as CVE-2019-0211 could be exploited in conjuction with other flaws to achieve root access.