This week, the Apache Software Foundation has patched an excessive vulnerability in the Apache (httpd) net server mission that might –below certain situations– allow rogue server scripts to execute code with root privileges and take over the underlying server.
The vulnerability, tracked as CVE-2019-0211, affects Apache webserver releases for Unix systems most effective, from 2.Four.17 to 2.4.38, and turned into fixed this week with the discharge of version 2.Four.39.
According to the Apache group, much less-privileged Apache child processes (including CGI scripts) can execute malicious code with the discerning process’s privileges.
Because on most Unix systems, Apache HTTPd runs below the foundation consumer, any chance actor who has planted a malicious CGI script on an Apache server can use CVE-2019-0211 to take over the underlying machine walking the Apache HTTPd procedure and inherently manipulate the entire gadget.
CVE-2019-0211 IS A BIG PROBLEM FOR SHARED-HOSTING FIRMS
The vulnerability won’t pose an instantaneous and palpable threat to builders and businesses strolling their very own server infrastructure. Still, the trouble is a critical vulnerability in inner shared web-hosting environments.
“First of all, it’s far a LOCAL vulnerability; because of this, you need to have a few types of getting admission to the server,” Charles Fol, the safety researcher who observed this vulnerability, advised ZDNet in an interview yesterday.
In this manner, attackers either have to sign up money owed to the shared website hosting companies or compromise present bills.
Once this occurs, the attacker simplest needs to add a malicious CGI script via their rented/compromised server’s manage panel to manage the hosting company’s server to plant malware or scouse borrow facts from other customers who have statistics saved at the equal machine.
“The web hoster has generally get entry to to the server through the ‘root’ account. If one of the customers successfully exploits the vulnerability I pronounced, he/she will be able to get completely get right of entry to to the server, just like the net hoster,” Fol stated. “This implies examine/write/delete any file/database of the other customers.”
NON-SHARED APACHE SERVERS ALSO IN DANGER
But Fol additionally instructed ZDNet that CVE-2019-0211, just via its presence, mechanically augments some other server security problem –even for Apache net servers no longer a part of shared-hosting environments.
“For attackers or pentesters, after [they] compromise an Apache HTTP server, [they] commonly get an account with low privileges (generally, www-information),” Fol stated.
But any listing traversal or faraway code execution flaw that lets in an attacker to add a CGI script, now additionally manner automatic root get right of entry to as a result of CVE-2019-0211, according to Fol.
For this motive, patching this flaw is a need. First and foremost for shared hosting providers, after which additional corporations will go for walks Apache on non-public, non-shared servers -which, but, face a decreased risk of attack.