zeroSteiner's assessment of CVE-2019-0211 | AttackerKB

Description

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

Add Assessment

2

zeroSteiner (346)

April 17, 2020 10:28pm UTC (4 years ago)•

Ratings

Attacker Value

Medium

Exploitability

Medium

Common in enterprise Gives privileged access Unauthenticated Vulnerable in default configuration

Technical Analysis

A vulnerability in Apache server versions 2.4.17–2.4.38 caused by an out-of-bounds array access can lead to an arbitrary function call. An attacker can trigger this to execute code in the context of the parent Apache process which often runs as root. In order for the exploit to trigger however, the Apache process must gracefully restart. This can be done on demand using apache2ctl graceful, but is also done automatically once at day by the logrotate utility (according to the original disclosure).

This exploit is a Local Privilege Escalation (LPE) vulnerability, so an attacker would already need to have some control on the system. This likely could be achieved through some kind of application vulnerability depending on what the Apache server is running.

Log in to Add Reply

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.8 High

Impact Score:

5.9

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

Products

Exploited in the Wild

Reported by:

gwillcox-r7 indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: Ransomware Report 2023 (https://cybersecurityworks.com/howdymanage/uploads/file/Ransomware%20Report%202023_compressed.pdf)

Reported: February 21, 2023 6:59pm UTC (2 years ago)

References

Canonical

CVE-2019-0211 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0211)

BID-107666 (http://www.securityfocus.com/bid/107666)

Advisory

EXPLOIT-DB-46676 (https://www.exploit-db.com/exploits/46676)

USN-3937-1 (https://usn.ubuntu.com/3937-1)

20190407 [slackware-security] httpd (SSA:2019-096-01) (https://seclists.org/bugtraq/2019/Apr/16)

https://access.redhat.com/errata/RHSA-2019:0980

GLSA-201904-20 (https://security.gentoo.org/glsa/201904-20)

FEDORA-2019-cf7695b470 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT)

[httpd-users] 20190406 [users@httpd] CVE-2019-0211/0215/0217 (https://lists.apache.org/thread.html/b1613d44ec364c87bb7ee8c5939949f9b061c05c06e0e90098ebf7aa@%3Cusers.httpd.apache.org%3E)

https://httpd.apache.org/security/vulnerabilities_24.html

[httpd-cvs] 20190611 svn commit: r1861068 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml (https://lists.apache.org/thread.html/fd110f4ace2d8364c7d9190e1993cde92f79e4eb85576ed9285686ac@%3Ccvs.httpd.apache.org%3E)

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us

[announce] 20200131 Apache Software Foundation Security Report: 2019 (https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E)

FEDORA-2019-a4ed7400f4 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ALIR5S3O7NRHEGFMIDMUSYQIZOE4TJJN)

FEDORA-2019-119b14075a (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZRMTEIGZKYFNGIDOTXN3GNEJTLVCYU7)

20190403 [SECURITY] [DSA 4422-1] apache2 security update (https://seclists.org/bugtraq/2019/Apr/5)

[community-dev] 20190411 RE: CVE-2019-0211 applicable to versions 2.2.x? (https://lists.apache.org/thread.html/de881a130bc9cb2f3a9ff220784520556884fb8ea80e69400a45509e@%3Cdev.community.apache.org%3E)

https://access.redhat.com/errata/RHSA-2019:1296

https://www.synology.com/security/advisory/Synology_SA_19_14

[oss-security] 20190401 CVE-2019-0211: Apache HTTP Server privilege escalation from modules' scripts (http://www.openwall.com/lists/oss-security/2019/04/02/3)

https://support.f5.com/csp/article/K32957101

https://access.redhat.com/errata/RHBA-2019:0959

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.html

https://access.redhat.com/errata/RHSA-2019:1543

https://security.netapp.com/advisory/ntap-20190423-0001

DSA-4422 (https://www.debian.org/security/2019/dsa-4422)

[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html (https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E)

[community-dev] 20190411 CVE-2019-0211 applicable to versions 2.2.x? (https://lists.apache.org/thread.html/890507b85c30adf133216b299cc35cd8cd0346a885acfc671c04694e@%3Cdev.community.apache.org%3E)

[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html (https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E)

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html

https://access.redhat.com/errata/RHSA-2019:0746

[oss-security] 20190726 Re: Statistics for distros lists updated for 2019Q2 (http://www.openwall.com/lists/oss-security/2019/07/26/7)

https://access.redhat.com/errata/RHSA-2019:1297

[community-dev] 20190411 Re: CVE-2019-0211 applicable to versions 2.2.x? (https://lists.apache.org/thread.html/b2bdb308dc015e771ba79c0586b2de6fb50caa98b109833f5d4daf28@%3Cdev.community.apache.org%3E)

Miscellaneous

http://packetstormsecurity.com/files/152441/CARPE-DIEM-Apache-2.4.x-Local-Privilege-Escalation.html

http://packetstormsecurity.com/files/152415/Slackware-Security-Advisory-httpd-Updates.html

http://www.apache.org/dist/httpd/CHANGES_2.4.39

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

http://packetstormsecurity.com/files/152386/Apache-2.4.38-Root-Privilege-Escalation.html

Rapid7

Technical Analysis