Apache HTTP Server contained privilege escalation flaw that allowed root access
- Designated as CVE-2019-0211, the flaw can allow any user with access to the web server to write as well as run untrusted scripts.
- Attackers could abuse this flaw to obtain root access in Unix systems.
Popular web server software Apache HTTP had a privilege escalation flaw that could have compromised Unix systems. The serious vulnerability was discovered by Charles Fol, a security engineer at Ambionics.
Fol stated that the flaw was the result of an out-of-bounds array access giving rise to an arbitrary function call. It affected systems running Linux operating systems.
- The flaw affects Apache HTTP Servers having versions from 2.4.17 to 2.4.38.
- Fol explained that the flaw can be abused by obtaining read/write access on a web process and then changing the internal code.
- He also emphasized that an exploit could be done through untrusted scripts written in PHP or CGI.
- Shared web hosting would be mainly compromised if the flaw is exploited by a malicious actor.
Apache patches the flaw
In an advisory, Apache acknowledged the flaw by Fol and has mentioned that the version 2.4.39 of HTTP Server fixes. “In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected,” read the advisory.
Version 2.4.39 also patched a host of other vulnerabilities that were present in HTTP Server. Users are advised to run this latest version which can be downloaded here.