Apache Bug Lets Normal Users Gain Root Access Via Scripts (Apr 2, 2019)
Apache Software Foundation and the OpenSSL project founding member, Mark J. Cox, posted on Twitter the details of a vulnerability, registered as “CVE-2019-0211,” that affects Apache HTTP server versions 2.4.17 to 2.4.38. The vulnerability could allow a user with read and write access to gain root privileges on Unix systems and make it possible to execute arbitrary code via scoreboard manipulation. This vulnerability, as well as two others that are registered as “CVE-2019-0217” and “CVE-2019-0215,” were patched in Apache HTTP Server version 2.4.39. CVE-2019-0217 affects versions 2.4.0 through 2.4.38 could allow a user “with valid credentials to authenticate using another username, bypassing configured access control restrictions.” CVE-2019-0215 affects Apache 2.4.37 and 2.4.38 installations and allows “client supporting Post-Handshake Authentication to bypass configured access control restrictions.” Three less-severe vulnerabilities were also addressed in Apache version 2.4.39 that could be exploited to cause crashes, read-after-free, and normalization inconsistency.
Recommendation: Your company should have policies in place in regards to maintaining server software in such a way that new security updates are applied as soon as possible. Threat actors will often use vulnerabilities that have already been issued patches because information and proof-of-concept code of an exploit sometimes become available on public sources once a patch has been issued. Actors of all levels of sophistication are known to exploit such vulnerabilities because as this story shows, many users and administrators do not apply security updates.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.