CVE-2019-0211 : Publication de la démonstration de faisabilité pour la vulnérabilité d'élévation de privilège root sur Apache
Researcher publishes proof of concept (PoC) for local root privilege escalation bug patched by Apache last week.
Contexte
Last week, Apache published a security update to address six vulnerabilities in HTTP Server versions 2.4.17 to 2.4.38. This release includes a fix for CVE-2019-0211, a local root privilege escalation vulnerability that could lead to arbitrary code execution.
Analyse
The vulnerability, dubbed CARPE (DIEM), exists in Apache Multi-Processing Modules (MPMs) such as mod_prefork, mod_worker and mod_event. Charles Fol, the researcher who discovered and named the vulnerability, targeted mod_prefork for his breakdown and subsequent PoC.
According to Fol, Apache uses a shared-memory area known as scoreboard to keep tabs on worker processes (lower privileges) managed by mod_prefork (root privileges). Exploitation of this vulnerability requires an attacker to gain read/write access to a worker process (through a separate exploit) in order to manipulate the scoreboard to point to a rogue worker before an Apache graceful restart is initiated by logrotate.
In their advisory, Apache noted that non-Unix systems are unaffected by CVE-2019-0211. This is likely due to the fact that the vulnerability is triggered by an Apache graceful restart (apache2ctl graceful), which is normally executed by logrotate every morning on *Nix systems.
Proof of Concept
Fol published his PoC to Github on April 8. In his blog, he notes this exploit is “between a POC and a proper exploit.” The expectation is now that the PoC is publicly available, it will most likely be refined further and ultimately leveraged by attackers in the wild. This is of great concern on shared hosting environments, where a malicious user could leverage this exploit to gain root access on the host and access files shared by other users on the host environment.
Solution
CVE-2019-0211 is patched in Apache HTTP Server version 2.4.39. *Nix distributions including Ubuntu, Debian, and SuSE have package updates available for install. FreeBSD posted an advisory, but there is no security update available for it yet. Users are encouraged to install these updates as soon as possible.
Additionally, cPanel released a security update for EasyApache 4 that addresses this vulnerability.
Identification des systèmes affectés
A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.
Nessus users scanning for vulnerable versions of Apache HTTP Server will see the following scan output.
Continuous monitoring via Nessus Network Monitor will result in the following output:
Où trouver plus d'informations
- Apache Security Advisory
- Charles Fol's description of CARPE (DIEM)
- Ubuntu Security Advisory
- Debian Security Tracker for CVE-2019-0211
- SuSE: CVE-2019-0211
- FreeBSD: Apache -- Multiple vulnerabilities
- EasyApache 4 Apr 3 Release
Rejoignez l'équipe SRT de Tenable sur Tenable Community.
Apprenez-en plus sur Tenable, la première plateforme de Cyber Exposure qui vous permet de gérer votre surface d'attaque moderne de manière globale.
Get a free 60-day trial of Tenable.io Vulnerability Management.
Articles connexes
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
- Vulnerability Management