April 5, 2019

What Is Apache HTTPd Server CVE-2019-0211?


The widely used Apache HTTPd server released version 2.4.39 on April 1st, 2020 because of CVE-2019-0211. In this blog, we look at how CVE-2019-0211 works, who it affects, and how to stay safe against future vulnerabilities.

What Is CVE-2019-0211?

CVE-2019-0211 is a root privilege escalation vulnerability found in all prior versions of HTTPd. It causes out-of-bounds array access which leads to the ability to make an arbitrary function call.

Triggered by a graceful restart, the logrotate utility can trigger this vulnerability once a day by default configuration settings. The modules specifically affected include mod_prefork, mod_worker, and mod_event.

How Does CVE-2019-0211 Work?

MPM prefork running as root manages single-threaded, low privilege worker processes that are all pooled together. Using a shared-memory area scoreboard MPM prefork can monitor worker PID’s, last request handled, and other information. Each PID has a process_score tied to the shared-memory area scoreboard. During the graceful restart, the main process is killed, and new workers replace old workers as well as old bucket values. Because no bound checks happen during this time, a rogue worker can change its own bucket index value and make it use the values found in shared memory instead. This allows control of the prefork_child_bucket structure which causes a call to mutex->meth->child_init(), which is an arbitrary function called as the root user.

There are 4 main steps to this exploit:

1. Obtaining read/write access of a worker process

2. Write a fake prefork_child_bucket structure in the shared memory area

3. Make all_buckets[bucket] point to the structure in step 2

4. A wait for the scheduled daily graceful restart to occur in a 24-hour cycle

Because this attack is based around the number of workers an Apache instance is using, the success rates of this attack can vary. Researcher Charles Fol at Ambionics found that with 4 workers (the default amount apache uses) he had an 80% success rate but by increasing it from more than 4, the success rate jumped to 100%. Charles says, “Different Apache servers have different number of workers. Having more workers mean we can spray the address of our mutex over less memory, but it also means we can specify more index for all_buckets. This means that having more workers improves our success rate.”

Final Thoughts

As always, I end this blog sounding like a broken record, reminding you all to upgrade your Apache servers when a new version comes out.

Ever since the 2.2 branch was retired, Apache has put all their time and effort into their 2.4 development so you can be assured that when you do an upgrade, you’re deploying top tier code into your environment, keeping your org and customers secure, and providing any users the best experience.

Amazon AWS has about 20% of its own servers affected while Digital Ocean and OVH are at 8.6 and 5.9% themselves. Vulnerabilities that spread this wide and far are not typical but when they do occur, it’s always a good time to do some spring cleaning and update more than just Apache, though Apache is a good place to start.

Get Guidance On Your Next Update

OpenLogic open source architects are available to assist you with this and other popular open source solutions. Talk to an expert and start planning for your next update, today!