A critical vulnerability in Apache HTTP Server that if exploited could allow an attacker to gain full root control has been patched.
The cause, dubbed Carpe Diem by the researcher who discovered it Ambionics engineer Charles Fol, affects Apache HTTP Server versions 2.4.17 to 2.4.38.
The vulnerability, CVE-2019-0211, is a privilege escalation issue that happens when Apache executes what is called a “graceful restart”. A Graceful restart describes a situation when existing server threads are allowed to complete their task on a live website, Sophos’ Naked Security noted in a blog.
Fol found that during a restart “an opportunity arises for a low-privilege process to elevate itself to root via a script, for example via PHP or CGI.”
An attacker would require local access or being part of a shared hosting environment where many separate websites are hosted under a single IP address. This means any company or individual who currently maintains a website in such an environment should immediately updated to version 2.4.39, Naked Security said.
Jim O’Gorman, chief strategy officer at Offensive Security, pointed out how difficult it is to suss out vulnerabilities such as Carpe Diem, particularly when at first glance the issue might seem minor and require a complex exploitation chain. But if exploited the results are devastating.
“Thinking through the ways that attackers will actually exploit bugs to penetrate systems requires a creative, persistent, and adversarial mindset, and is not something that we can teach a security product to do,” he said.
In addition to patching CVE-2019-0211, the update also handled CVE-2019-0217, CVE-2019-0215, CVE-2019-0197, CVE-2019-0196, and CVE-2019-0220.