CVE-2019-0211 is a new vulnerability in Apache HTTP Server software. The bug which was discovered by Ambionics security researcher Charles Fol has already been fixed in the latest version of the software, 2.4.39.
The update should be applied immediately – the Apache HTTP server is one of the most widely-used web servers, powering nearly 40 percent of the Internet.
CVE-2019-0211 Official Description
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
This means that the vulnerability affects Apache HTTP Server versions from 2.4.17 to 2.4.38. In short, an exploit could allow any less-privileged user to execute arbitrary code with root privileges on vulnerable servers.
According to the researcher’s own report, the exploitation of CVE-2019-0211 is a four step process.
The first step is to obtain R/W access on a worker process, then write a fake prefork_child_bucket structure in the SHM. The next step requires making all_buckets[bucket] point to the structure. And finally, the attacker will need to await 6:25AM to get an arbitrary function call.
The advantage of the exploit is that the main process never exits, so we know where everything is mapped by reading /proc/self/maps (ASLR/PIE useless). “When a worker dies (or segfaults), it is automatically restarted by the main process, so there is no risk of DOSing Apache,” the researcher added.
A problem of the exploit is that “PHP does not allow to read/write /proc/self/mem, which blocks us from simply editing the SHM – all_buckets is reallocated after a graceful restart (!)”.
It appears that the vulnerability is more concerning for shared web hosting services, where threat actors with the ability to execute PHP or CGI scripts on a website can utilize the flaw to gain root access on the server. This would eventually compromise all other websites hosted on the same server.