CARPE (DIEM): CVE-2019-0211 Apache Local Privilege Escalation

Originally published at: https://cloudsek.com/threatintelligence/carpe-diem-cve-2019-0211-apache-local-privilege-escalation/

Category: Vulnerability Intelligence CVSS: 7.8 TLP: GREEN 
\

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, mentioning a vulnerability in the Apache HTTP server 2.4.17 to 2.4.38, known as CVE-2019-0211.
  • CVE-2019-0211 is a local privilege escalation bug, hence to exploit the attacker must have initial access to the server.  
  • Threat actors can exploit this vulnerability to conduct various attacks, including, but not limited to, privilege escalation, lateral movement, and more.
![](upload://rHRDBGZaeKAtgcbE3lGoTt6kCRA.png)

Technical summary

CloudSEK’s XVigil runs routine application misconfiguration scans as a part of infrastructure monitoring. During such scans, we found that there are multiple assets that are still vulnerable to an older vulnerability given the name CARPE (DIEM): CVE-2019-0211.

This vulnerability was a critical vulnerability that came out in 2019 and lets an attacker execute unprivileged scripts, usually run by Apache with lowered privileges to take over the main Apache process. This can also lead to an attacker gaining root access to the server by simply running a script. 

CVE-2019-0211 poses a threat to web hosting services using the vulnerable versions in shared environments where root privilege can allow attackers to access files shared by other users on the host environment. Even if a vulnerable Apache server is not running in a shared environment, this vulnerability can be chained with other attack methods to execute code at a higher privilege level.

This vulnerability only impacts the Apache HTTP servers running on Unix operating systems. 

CVE-2019-0211 sustains in Apache Multi-Processing Modules (MPMs) such as mod_prefork, mod_worker and mod_event.

According to the PoC published by the researcher who discovered this vulnerability, Apache uses a shared-memory area to keep tabs on worker processes managed by mod_prefork. To exploit the vulnerability, the attacker is required to gain read/write access to a worker process to in turn manipulate the shared-memory area to point to a rogue worker before an Apache graceful restart (apache2ctl graceful) is initiated by logrotate.

![](upload://AoPZhwvLAYmvQaSYGaJrMbCDIe6.png)

OSINT Information

Apache is the most popular web server and hence powers more than 40% of the Internet.    ![|468x256](upload://DJbq4inCZqnkNJ8VnaNHBOb5gR.png)

This chart shows that more than 1.6 million servers are still running vulnerable versions of Apache.

![](upload://eG45aEeR9lp9elN4yMBBnenGjI8.png)

The security engineer who discovered the Carpe Diem Apache HTTP Server bug has released an exploit for it. The vulnerability has been deemed critical and lets the attackers perform actions most hosting providers have worked to avoid.

Impact & Mitigation

Impact Mitigation
The ease of exploitation is very low whereas the impact is high. The threat actor can gain root privilege to the server. It is a threat to shared hosting providers that run multiple websites under the sale Apache process. It can result in your brand image being impacted negatively. It can result in a loss of trust by stakeholders. Update to Apache 2.4.39 or newer versions.

References

Apache HTTP Server 2.4 vulnerabilities

CARPE (DIEM): CVE-2019-0211 Apache Root Privilege Escalation

PoC exploit for Carpe Diem Apache bug released – Help Net Security

Apache HTTP Server Privilege Escalation (CVE-2019-0211) Explained | Rapid7 Blog

Apache 2.4.17 < 2.4.38 – ‘apache2ctl graceful’ ‘logrotate’ Local Privilege Escalation – Linux local Exploit