Bug in Apache server gives attackers root access in shared host environments

The Apache HTTP Server – the most widely used Web server on the Internet – has closed a serious vulnerability that has allowed unfamiliar users or software to gain unlimited control over the machine on which the software runs.

The vulnerability, called CVE-2019-0211, is a local privilege escalation, which means that it allows a person or software that already has limited access to the Web server to extend that access to root access, writes Ars Technica. From there, an attacker can do almost anything.

The vulnerability makes it possible to overwrite script without privileges to sensitive parts of the server’s memory. A rogue script could exploit the vulnerability to get root access.

Shared instances

The greatest risk of vulnerability lies in Web-hosting facilities that offer shared instances. In addition, a single physical machine contains content for more than one website. Such servers normally prevent an administrator of one site from having access to the other sites or from having access to the sensitive settings of the machine itself.

But if one of the users successfully exploits the vulnerability, he or she gets full access to the server. This means that they have the possibility to view, write and delete every file and every database of other clients.

Another likely abuse scenario is when a cybercriminal uses another attack, which only gives limited privileges on a server running Apache. If that server is vulnerable to CVE-2019-0211, then the attacker can exploit the error to extend those limited privileges to root privileges.

Vulnerable systems

The vulnerability only affects Apache versions between 2.4.17 and 2.4.38 when running UNIX-like systems. Security company Rapid7 estimates that 2 million systems are vulnerable to CVE-2019-0211, although most have already performed an update.

People using Apache – especially customers of hosts offering shared instances – are advised to check that they are running version 2.4.39.