A patchy Apache a-patchin: HTTP server gets fix for worrying root access hole

Apache HTTP Server has been given a patch to address a potentially serious elevation of privilege vulnerability.

Designated CVE-2019-0211, the flaw allows a “worker” process to change its privileges when the host server resets itself, potentially allowing anyone with a local account to run commands with root clearance, essentially giving them complete control over the targeted machine.

The bug was discovered by researcher Charles Fol of security shop Ambionics, who privately reported the issue to Apache. Admins can get the vulnerability sealed up by making sure their servers are updated to version 2.4.39 or later.

While elevation of privilege vulnerabilities are not generally considered particularly serious bugs (after all, you need to already be running code on the target machine, which is in and of itself a security compromise), the nature of Apache Server HTTP as a host machine means that this bug will almost always be exposed to some extent.

Fol told The Register that as HTTP servers are used for web hosting, multiple users will be given guest accounts on each machine. In the wild, this means the attacker could simply sign up for an account to have their site hosted on the target server.

“The web hoster has total access to the server through the ‘root’ account,” Fol explained.

“If one of the users successfully exploits the vulnerability I reported, he/she will get full access to the server, just like the web hoster. This implies read/write/delete any file/database of the other clients.”

Source: A patchy Apache a-patchin: HTTP server gets fix for worrying root access hole • The Register