CVE-2019-0211: Proof of Concept for Apache Root Privilege Escalation Vulnerability Published
Researcher publishes proof of concept (PoC) for local root privilege escalation bug patched by Apache last week.
Hintergrund
Last week, Apache published a security update to address six vulnerabilities in HTTP Server versions 2.4.17 to 2.4.38. This release includes a fix for CVE-2019-0211, a local root privilege escalation vulnerability that could lead to arbitrary code execution.
Analyse
The vulnerability, dubbed CARPE (DIEM), exists in Apache Multi-Processing Modules (MPMs) such as mod_prefork, mod_worker and mod_event. Charles Fol, the researcher who discovered and named the vulnerability, targeted mod_prefork for his breakdown and subsequent PoC.
According to Fol, Apache uses a shared-memory area known as scoreboard to keep tabs on worker processes (lower privileges) managed by mod_prefork (root privileges). Exploitation of this vulnerability requires an attacker to gain read/write access to a worker process (through a separate exploit) in order to manipulate the scoreboard to point to a rogue worker before an Apache graceful restart is initiated by logrotate.
In their advisory, Apache noted that non-Unix systems are unaffected by CVE-2019-0211. This is likely due to the fact that the vulnerability is triggered by an Apache graceful restart (apache2ctl graceful), which is normally executed by logrotate every morning on *Nix systems.
Proof of Concept
Fol published his PoC to Github on April 8. In his blog, he notes this exploit is “between a POC and a proper exploit.” The expectation is now that the PoC is publicly available, it will most likely be refined further and ultimately leveraged by attackers in the wild. This is of great concern on shared hosting environments, where a malicious user could leverage this exploit to gain root access on the host and access files shared by other users on the host environment.
Lösung
CVE-2019-0211 is patched in Apache HTTP Server version 2.4.39. *Nix distributions including Ubuntu, Debian, and SuSE have package updates available for install. FreeBSD posted an advisory, but there is no security update available for it yet. Users are encouraged to install these updates as soon as possible.
Additionally, cPanel released a security update for EasyApache 4 that addresses this vulnerability.
Identifizieren betroffener Systeme
A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.
Nessus users scanning for vulnerable versions of Apache HTTP Server will see the following scan output.
Continuous monitoring via Nessus Network Monitor will result in the following output:
Weitere Informationen
- Apache Security Advisory
- Charles Fol's description of CARPE (DIEM)
- Ubuntu Security Advisory
- Debian Security Tracker for CVE-2019-0211
- SuSE: CVE-2019-0211
- FreeBSD: Apache -- Multiple vulnerabilities
- EasyApache 4 Apr 3 Release
Verfolgen Sie die Beiträge des Security Response Team von Tenable in der Tenable Community.
Erfahren Sie mehr über Tenable, die erste Cyber Exposure-Plattform für die ganzheitliche Verwaltung Ihrer modernen Angriffsoberfläche.
Get a free 60-day trial of Tenable.io Vulnerability Management.
Verwandte Artikel
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Cybersecurity Snapshot: U.S. Gov’t Unpacks AI Threat to Banks, as NCSC Urges OT Teams to Protect Cloud SCADA Systems
March 29, 2024Check out new guidance for banks on combating AI-boosted fraud. Plus, how to cut cyber risk when migrating SCADA systems to the cloud. Meanwhile, why CISA is fed up with SQLi flaws. And best practices to prevent and respond to DDoS attacks. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
- Vulnerability Management