Apache fixes Carpe Diem vulnerability in web server update
Users of the Apache HTTP web server are urged to update their servers to correct a series of vulnerabilities in widely deployed open source technology.
The Apache HTTP Server (commonly referred to simply as “Apache”) is a fundamental component of the modern Internet and is the most widely used web server in the world today. The new flaws affect several versions of Apache ranging from version 2.4.17 to update 2.4.38. The new Apache 2.4.39 milestone was released on April 1, addressing six vulnerabilities in total, three of which are rated “important” by the Apache Software Foundation.
“A flaw in Apache HTTP Server 2.4.17 – 2.4.38 allows anyone you allow to write a script (PHP, CGI, ..) Foundation, wrote in a Twitter assignment. “Get 2.4.39 * now *, especially if you have untrusted script writers or use shared hosting.” “
Among the three important vulnerabilities fixed in the Apache 2.4.39 update is CVE-2019-0211, which is a privilege escalation vulnerability. The vulnerability was reported to Apache by researcher Charles Fol, security engineer at Ambionics Security.
“Apache HTTP suffers from a local root privilege escalation vulnerability due to out-of-bounds array access leading to an arbitrary function call,” Fol wrote in a advisory.
Problem CVE-2019-0211 abuses a daily Apache function called logrotate, which runs once a day to restore log files. Fol colloquially nicknamed the defect CARPE DIEM – CARPE: means VSVE-2019-0211 Apache Root Privalry Eladder ; and DIEM is due to the fact that the exploit is triggered once per day.
CVE-2019-0217 and CVE-2019-0215
Security researcher Simon Kappel is credited by Apache with discovering the CVE-2019-0217 vulnerability which is also considered important.
“In Apache HTTP Server 2.4 version 2.4.38 and earlier, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing the configured access control restrictions, ”Apache warned in its advisory.
A race condition is a type of software fault in which shared data is accessed by multiple concurrent threads without proper data access protection.
The third critical issue fixed in the Apache 2.4.39 update is CVE-2019-0215, which is an SSL access control bypass vulnerability. Apache’s mod_SSL module is responsible for handling SSL / TLS (Secure Sockets Library / Transport Layer Security) encryption. According to Apache, the CVE-2019-0215 flaw could potentially have allowed an attacker to bypass access control restrictions.
Millions of web servers at risk
According to security firm Rapid7, as of April 3, approximately two million Apache web server deployments have yet to be patched. More than half of these instances run on public cloud and shared hosting providers.
Bob Rudis, Chief Data Scientist at Rapid7, commented that the CVE-2019-0211 issue is of particular concern as it can be triggered with a malicious Apache module or via scripts that run in a popular extension like “mod_php”, which allows the execution of PHP scripts. , such as those used by popular content management systems WordPress or Drupal. He warned that CVE-2019-0211 is particularly problematic and likely to be exploited by shared hosting providers who run multiple sites under a single Apache process.
While there is a risk of Apache web server vulnerabilities for organizations that have not yet applied patches, so far there has not been much public detection of active attacks.
“Nothing on the radar at this time, although most organizations that have honeypot networks like Rapid7, won’t see a lot of activity outside of maybe looking for version numbers,” Rudis said. . eWEEK. “This will be something attackers do from the inside, such as creating an account at a vulnerable shared web hosting provider and then launching an attack from within.”
Sean Michael Kerner is editor-in-chief at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.