Apache Software Foundation has patched a severe vulnerability in the Apache (httpd) web server project that might permit a rogue server script to execute code with root access and gain control of the underlying server.
The vulnerability which has been dubbed as CVE-2019-0211, affects only the Apache web server for Unix systems from versions 2.4.17 to 2.4.38. This was fixed with the version 2.4.39. that was released this week.
Apache team claims that less-privileged Apache child processes (such as CGI scripts) can execute malicious code with the privileges of the parent process.
On most Unix systems Apache httpd runs under the root user, so an attacker who has inserted a malicious CGI script on an Apache server can use CVE-2019-0211 to take over the underlying system running the Apache httpd process, and intuitively control the entire machine.
Big issue for shared-hosting firms
The vulnerability might not be an immediate and noticeable threat to developers and companies that have their own server infrastructure. But in the case of a shared web hosting environment, this becomes a critical vulnerability.
This vulnerability was discovered by the security researcher, Charles Fol and he said that this vulnerability is local which indicates that you should have some kind of access to the server. For this an attacker need to either have to register accounts with shared hosting providers or compromise existing accounts.
Once this is done, the attacker has to just upload a malicious CGI script through their compromised server’s control panel by which they can take control of the hosting provider’s server to plant malware or steal data. The web hoster has complete access to the server through the ‘root’ account and is possible to read/write/delete any file/database of the other clients.
According to Fol the vulnerability can automatically augment any other server security issue, even for Apache web servers not part of shared-hosting environments.
So, it is necessary to patch this flaw for shared hosting provider, and also for companies running Apache on private, non-shared servers.