This week, the Apache Software Foundation has patched a excessive vulnerability in the Apache (httpd) net server mission that might –below certain situations– allow rogue server scripts to execute code with root privileges and take over the underlying server.
The vulnerability, tracked as CVE-2019-0211, affects Apache web server releases for Unix systems most effective, from 2.Four.17 to 2.4.38, and turned into fixed this week with the discharge of version 2.Four.39.
According to the Apache group, much less-privileged Apache child processes (including CGI scripts) can execute malicious code with the privileges of the discern process.
Because on most Unix systems Apache httpd runs below the foundation consumer, any chance actor who has planted a malicious CGI script on an Apache server can use CVE-2019-0211 to take over the underlying machine walking the Apache httpd procedure, and inherently manipulate the entire gadget.
CVE-2019-0211 IS A BIG PROBLEM FOR SHARED-HOSTING FIRMS
The vulnerability won’t pose an instantaneous and palpable threat to builders and businesses strolling their very own server infrastructure, but the trouble is a critical vulnerability inner shared web web hosting environments.
“First of all, it’s far a LOCAL vulnerability, because of this you need to have a few type of get admission to to the server,” Charles Fol, the safety researcher who observed this vulnerability advised ZDNet in an interview yesterday.
This manner that attackers either have to sign up money owed with shared website hosting companies or compromise present bills.
Once this takes place, the attacker simplest needs to add a malicious CGI script via their rented/compromised server’s manage panel to take manage of the hosting company’s server to plant malware or scouse borrow facts from other customers who have statistics saved at the equal machine.
“The web hoster has general get entry to to the server through the ‘root’ account. If one of the customers successfully exploits the vulnerability I pronounced, he/she will be able to get complete get right of entry to to the server, just like the net hoster,” Fol stated. “This implies examine/write/delete any file/database of the other customers.”
NON-SHARED APACHE SERVERS ALSO IN DANGER
But Fol additionally instructed ZDNet that CVE-2019-0211, just via its presence, mechanically augments some other server security problem –even for Apache net servers no longer a part of shared-hosting environments.
“For attackers or pentesters, after [they] compromise an Apache HTTP server, [they] commonly get an account with low privileges (generally, www-information),” Fol stated.
But any listing traversal or faraway code execution flaw that lets in an attacker to add a CGI script, now additionally manner automatic root get right of entry to as a result of CVE-2019-0211, according to Fol.
For this motive, patching this flaw is a need to. First and foremost for shared hosting provider, after which additionally for corporations going for walks Apache on non-public, non-shared servers –which, but, face a decrease risk of attack.
For small and startup businesses, every cent really does count and making sure that you ta…