In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
External References: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0211 http://www.apache.org/dist/httpd/CHANGES_2.4
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1694986]
Details about possible exploitation scenario: When you have an environment in which un-trusted script authors are allowed to upload arbitrary scripts (like PHP, CGI etc), These scripts normally run with restricted (non-root) privileges, but this flaw could allow the attacker to raise privilege to root and be able to run arbitrary code on the web server as root. Such setup is common for example in the case of shared hosting etc. https://twitter.com/iamamoose/status/1112966189276389376
Upstream 2.4.x fix is: http://svn.apache.org/viewvc?view=revision&revision=1855378
This issue got named CARPE (DIEM). More info in the reporter's write-up: https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html
Is it exploitable only if CGI is enabled? Which others languages could be affected? PHP, CGI, any more? Thanks :)
Is it exploitable only if CGI is enabled? Which other language could be affected? CGI, PHP, any more? Thanks.
Are updates to the SCL packages planned?
"It affects the version of httpd package shipped with Red Hat Software Collections." ...AND that is going to get updated RSN, right?
nullIn reply to comment #14: > "It affects the version of httpd package shipped with Red Hat Software > Collections." > > ...AND that is going to get updated RSN, right? Please contact Red Hat support, if you have any questions. Thank you!
I would also like to know if, or when, Red Hat plans to issue a fix. I have opened a case with Red Hat support. If I receive an answer, will I be allowed to share that information here?
Note on CVSS3 rating of this flaw: ================================= The attack is basically carried out by uploading a script on a vulnerable web server which is configured to allow upload and execution of such vulnerable scripts. Due to this flaw, instead of the script running under a restricted privilege user, it can run as root and therefore allow privilege escalation on the web server. This can allow the attacker to run code as root on the web server and depending on other configurations could effectively allow the attacker to take its control. Therefore: Attack Vector: Local (Attack is carried out through a local app vuln.) Attack Complexity: Low (Vuln can be exploited at any time, as long at the vuln application exists) Privileges Required: Low (Common for shared hosting configurations) User Interaction: None (exploit can run without any other user doing an action on the script, again common in shared hosting conf, where this vuln would manifest itself) Scope: Changed (This impacts the OS, beyond the exploitable web server) CIA:H (This is due to privilege escalation)
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:0746 https://access.redhat.com/errata/RHSA-2019:0746
Thank you!
Statement: This flaw is exploitable in httpd if it is configured to allow an untrusted user to upload and execute arbitrary scripts. Due to the nature of the flaw, the uploaded script would not run as a restricted privileged user, but rather it runs as root allowing for privilege escalation from the restricted user to root on the web server. Depending on the configuration of the server, you would need local (AV:L) privileges to place the script or network (AV:N) privileges if the server ran an application that permitted uploading scripts directly. The latter scenario is not common for unauthenticated users. Once the attacker can place the script somewhere in the web root where it can be easily exploited (AC:L). This type of setup is more common in shared hosted environments (PR:L) and would allow an attacker with access to a site on the shared hosted to impact the confidentiality, integrity, and availability (CIA:H) with no interaction (UI:N). Due to the elevated privileges obtained, there is an impact to the system beyond the web server itself (S:C).
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:0980 https://access.redhat.com/errata/RHSA-2019:0980
This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.29 SP2 Via RHSA-2019:1296 https://access.redhat.com/errata/RHSA-2019:1296
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services on RHEL 6 Via RHSA-2019:1297 https://access.redhat.com/errata/RHSA-2019:1297
This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.29 SP2 Via RHSA-2019:1543 https://access.redhat.com/errata/RHSA-2019:1543