Bug 1694980 (CVE-2019-0211)

Summary: CVE-2019-0211 httpd: privilege escalation from modules scripts
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ajoseph, alexaleon92, anon.amish, bmcclain, bnater, chazlett, cmattern, cmmiller, csutherl, dblechte, dfediuck, eedri, gandavar, gzaronik, hhorak, jclere, jdoyle, jkaluza, jorton, ktbzimm, lgao, luhliari, mbabacek, mgoldboi, michal.skrivanek, mturk, myarboro, pahan, pslavice, richard.sipinski, rsvoboda, sbonazzo, seferovic, sherold, twalsh, unixi, weli, whaidinger, yozone, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20190401,reported=20190402,source=internet,cvss3=8.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-250,fedora-all/httpd=affected,jbcs-1/httpd=affected,openshift-online-3/httpd=notaffected,rhev-m-4/rhvm-appliance=notaffected,rhscl-3/httpd24-httpd=affected,rhel-5/httpd=notaffected,rhel-6/httpd=notaffected,rhel-7/httpd=notaffected,rhel-8/httpd:2.4/httpd=affected,jbews-2/httpd=new,jws-3/httpd=notaffected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache where code executing in a less-privileged child process or thread could execute arbitrary code with the privilege of the parent process (usually root). An attacker having access to run arbitrary scripts on the web server (PHP, CGI etc) could use this flaw to run code on the web server with root privileges.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:52:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1695432, 1694986, 1695428, 1695429, 1695431    
Bug Blocks: 1694984    

Description Dhananjay Arunesh 2019-04-02 08:33:28 UTC
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

Comment 2 Dhananjay Arunesh 2019-04-02 08:39:22 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1694986]

Comment 3 Huzaifa S. Sidhpurwala 2019-04-03 05:09:58 UTC
Details about possible exploitation scenario:

When you have an environment in which un-trusted script authors are allowed to upload arbitrary scripts (like PHP, CGI etc), These scripts normally run with restricted (non-root) privileges, but this flaw could allow the attacker to raise privilege to root and be able to run arbitrary code on the web server as root. Such setup is common for example in the case of shared hosting etc. 

https://twitter.com/iamamoose/status/1112966189276389376

Comment 7 Joe Orton 2019-04-03 09:34:01 UTC
Upstream 2.4.x fix is:

http://svn.apache.org/viewvc?view=revision&revision=1855378

Comment 8 Tomas Hoger 2019-04-04 10:54:15 UTC
This issue got named CARPE (DIEM).  More info in the reporter's write-up:

https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html

Comment 10 Alejandro 2019-04-04 16:57:54 UTC
Is it exploitable only if CGI is enabled? Which others languages could be affected? PHP, CGI, any more?

Thanks :)

Comment 11 Alejandro 2019-04-04 16:59:28 UTC
Is it exploitable only if CGI is enabled? Which other language could be affected? CGI, PHP, any more?

Thanks.

Comment 12 Scott Dowdle 2019-04-05 00:53:00 UTC
Are updates to the SCL packages planned?

Comment 14 Scott Dowdle 2019-04-05 05:11:08 UTC
"It affects the version of httpd package shipped with Red Hat Software Collections."

...AND that is going to get updated RSN, right?

Comment 15 Huzaifa S. Sidhpurwala 2019-04-08 04:28:59 UTC
nullIn reply to comment #14:
> "It affects the version of httpd package shipped with Red Hat Software
> Collections."
> 
> ...AND that is going to get updated RSN, right?

Please contact Red Hat support, if you have any questions.
Thank you!

Comment 16 James Boyle 2019-04-08 14:56:31 UTC
I would also like to know if, or when, Red Hat plans to issue a fix.  I have opened a case with Red Hat support.  If I receive an answer, will I be allowed to share that information here?

Comment 21 Huzaifa S. Sidhpurwala 2019-04-11 04:30:00 UTC
Note on CVSS3 rating of this flaw:
=================================
The attack is basically carried out by uploading a script on a vulnerable web server which is configured to allow upload and execution of such vulnerable scripts. Due to this flaw, instead of the script running under a restricted privilege user, it can run as root and therefore allow privilege escalation on the web server. This can allow the attacker to run code as root on the web server and depending on other configurations could effectively allow the attacker to take its control.

Therefore:
Attack Vector: Local (Attack is carried out through a local app vuln.)
Attack Complexity: Low (Vuln can be exploited at any time, as long at the vuln application exists)
Privileges Required: Low (Common for shared hosting configurations)
User Interaction: None (exploit can run without any other user doing an action on the script, again common in shared hosting conf, where this vuln would manifest itself)
Scope: Changed (This impacts the OS, beyond the exploitable web server)
CIA:H (This is due to privilege escalation)

Comment 23 errata-xmlrpc 2019-04-11 11:57:42 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:0746 https://access.redhat.com/errata/RHSA-2019:0746

Comment 24 James Boyle 2019-04-11 18:16:37 UTC
Thank you!

Comment 25 Huzaifa S. Sidhpurwala 2019-04-12 04:27:07 UTC
Statement:

This flaw is exploitable in httpd if it is configured to allow an untrusted user to upload and execute arbitrary scripts.  Due to the nature of the flaw, the uploaded script would not run as a restricted privileged user, but rather it runs as root allowing for privilege escalation from the restricted user to root on the web server.  

Depending on the configuration of the server, you would need local (AV:L) privileges to place the script or network (AV:N) privileges if the server ran an application that permitted uploading scripts directly.  The latter scenario is not common for unauthenticated users.  Once the attacker can place the script somewhere in the web root where it can be easily exploited (AC:L).  This type of setup is more common in shared hosted environments (PR:L) and would allow an attacker with access to a site on the shared hosted to impact the confidentiality, integrity, and availability (CIA:H) with no interaction (UI:N).  Due to the elevated privileges obtained, there is an impact to the system beyond the web server itself (S:C).

Comment 27 errata-xmlrpc 2019-05-07 04:19:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:0980 https://access.redhat.com/errata/RHSA-2019:0980

Comment 28 errata-xmlrpc 2019-05-30 14:48:30 UTC
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.29 SP2

Via RHSA-2019:1296 https://access.redhat.com/errata/RHSA-2019:1296

Comment 29 errata-xmlrpc 2019-05-30 14:57:17 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services on RHEL 6

Via RHSA-2019:1297 https://access.redhat.com/errata/RHSA-2019:1297

Comment 30 errata-xmlrpc 2019-06-18 19:08:57 UTC
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.29 SP2

Via RHSA-2019:1543 https://access.redhat.com/errata/RHSA-2019:1543