Apache web server bug grants root access to shared hosting environments
This week, the Apache Software Foundation fixed a severe vulnerability in the Apache Web Server Project (httpd) that could – under certain circumstances – allow malicious server scripts to execute code with root privileges and take the control of the underlying server.
Vulnerability, followed as CVE-2019-0211, only affects Apache web server versions for Unix systems, from 2.4.17 to 2.4.38, and was fixed this week with the release of version 2.4.39.
According to the Apache team, less privileged Apache child processes (such as CGI scripts) can execute malicious code with the privileges of the parent process.
Since on most Unix systems Apache httpd runs under the root user, any malicious actor who has implanted a malicious CGI script on an Apache server can use CVE-2019-0211 to support the system sub- jacent running the Apache httpd process and inherently controlling the entire machine.
CVE-2019-0211 is a big deal for shared hosting companies
The vulnerability may not pose an immediate and palpable threat to developers and businesses running their own server infrastructure, but the problem is a critical vulnerability in shared web hosting environments.
“First of all, this is a LOCAL vulnerability, which means you need to have some sort of access to the server”, Charles Fol, the security researcher who discovered this vulnerability said ZDNet in an interview yesterday.
This means that attackers must either register accounts with shared hosting providers or compromise existing accounts.
Once this happens, the attacker only needs to download a malicious CGI script through the control panel of their leased / compromised server to take control of the hosting provider’s server in order to crash malware or to steal data from other clients who have data stored on the same machine.
“The host has full access to the server through the ‘root’ account. If any of the users successfully exploit the vulnerability I have reported, they will have full access to the server, just like the host,” said declared Mad. “It involves reading / writing / deleting any files / databases from other clients.”
Unshared Apache servers also at risk
But Fol also said ZDNet that CVE-2019-0211, by its mere presence, automatically increases any other server security issues, even for Apache web servers that are not part of shared hosting environments.
“For attackers or pentesters, after [they] compromise an Apache HTTP server, [they] usually get an account with low privileges (usually www-data), ”Fol said.
But, according to Fol.
For this reason, it is essential to correct this flaw. First and foremost for shared hosts, then also for companies running Apache on unshared private servers, which, however, face a lower risk of attack.