Thanks to dayglored for the ping
Posted on 04/05/2019 3:49:16 AM PDT by ShadowAce
This week, the Apache Software Foundation has patched a severe vulnerability in the Apache (httpd) web server project that could --under certain circumstances-- allow rogue server scripts to execute code with root privileges and take over the underlying server.
The vulnerability, tracked as CVE-2019-0211, affects Apache web server releases for Unix systems only, from 2.4.17 to 2.4.38, and was fixed this week with the release of version 2.4.39.
According to the Apache team, less-privileged Apache child processes (such as CGI scripts) can execute malicious code with the privileges of the parent process.
Because on most Unix systems Apache httpd runs under the root user, any threat actor who has planted a malicious CGI script on an Apache server can use CVE-2019-0211 to take over the underlying system running the Apache httpd process, and inherently control the entire machine.
The vulnerability may not pose an immediate and palpable threat to developers and companies running their own server infrastructure, but the issue is a critical vulnerability inside shared web hosting environments.
Flaw in Apache HTTP Server 2.4.17 - 2.4.38 allows anyone you allow to write a script (PHP, CGI,..) to gain root. Get 2.4.39 *now* especially if you have untrusted script authors or run shared hosting (or use mod_auth_digest, due to a separate flaw)https://t.co/s08XhOzKKW— Mark J Cox (@iamamoose) April 2, 2019
"First of all, it is a LOCAL vulnerability, which means you need to have some kind of access to the server," Charles Fol, the security researcher who discovered this vulnerability told ZDNet in an interview yesterday.
This means that attackers either have to register accounts with shared hosting providers or compromise existing accounts.
Once this happens, the attacker only needs to upload a malicious CGI script through their rented/compromised server's control panel to take control of the hosting provider's server to plant malware or steal data from other customers who have data stored on the same machine.
"The web hoster has total access to the server through the 'root' account. If one of the users successfully exploits the vulnerability I reported, he/she will get full access to the server, just like the web hoster," Fol said. "This implies read/write/delete any file/database of the other clients."
But Fol also told ZDNet that CVE-2019-0211, just by its presence, automatically augments any other server security issue --even for Apache web servers not part of shared-hosting environments.
"For attackers or pentesters, after [they] compromise an Apache HTTP server, [they] generally get an account with low privileges (generally, www-data)," Fol said.
But any directory traversal or remote code execution flaw that allows an attacker to upload a CGI script, now also means automatic root access as a result of CVE-2019-0211, according to Fol.
For this reason, patching this flaw is a must. First and foremost for shared hosting provider, and then also for companies running Apache on private, non-shared servers --which, however, face a lower risk of attack.
Thanks to dayglored for the ping
The article says something about running Apache as root -- I've never done that, and I thought it was bad practice. I always switch over to a low-priv user, something like httpd or www-data. Am I missing something about best practices? Who are these people who run a webserver as root?
Sometimes, I think these "bugs" are found when things are performed in a way no one actually does it in the real world.
Not necessarily a bad thing--bugs are found, after all--but it tends to inflate the severity of the found bugs.
Trust me. You have to frequently go around campus and ask people “Why are you running IIS/Apache/FTP on your server?”. The usual answer is “I don’t know. We asked a student to set it up”. Translation: No one is maintaining the server.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.