On 2nd of April 2019, one of the founding members of the Apache Software Foundation and the OpenSSL project named Mark J Cox, tweeted warning the users about the currently discovered important flaw in the Apache HTTP server software. The Apache web server is one of the most popular and widely used open-source web servers in the world that powers almost 40 percent of the whole internet. The vulnerability has been identified as CVE-2019-0211 that was discovered by Charles Fol who is a security engineer at Ambionics Security Firm and has been patched by the Apache developers in the latest version 2.4.39 of its software released on 2nd of April 2019.
The flaw is detected to affect the Apache Http Server versions 2.4.17 through the 2.4.38 and could permit any less-privileged user to execute the arbitrary code with root privileges on the targeted server. Although, the researcher has not yet released the working Proof-of-concept (PoC) exploit code for this flaw, Charles has published a blog explaining the facts on how an attacker can exploit this flaw in four below mentioned steps by:
- Obtaining R/W access on a worker process
- Writing a fake prefork_child_bucket structure in the SHM
- Making all_buckets[bucket] point to the structure
- Awaiting 6:25 AM to receive an arbitrary function call.
As per Cox, the vulnerability is more concerning for the shared web hosting services where the malicious customers or a hacking having the ability to execute PHP or the CGI scripts on a website can utilize the flaw to gain root access on the server that eventually compromises all the other websites hosted on the same server. Along with this, the latest Apache https 2.4.39 version also patches three low and two of the other important severity issues. Another important flaw CVE-2019-0217 could permit the user with valid credentials to authenticate using another username by bypassing the configured access control restrictions.