~ Verifying the reproducibility of vulnerabilities that allow privilege escalation due to vulnerabilities in Apache HTTP Server ~
SoftBank Technology Corp.
SoftBank Technology Corp. (Headquarters: Shinjuku-ku, Tokyo, President & CEO: Shinichi Ata) has verified the reproducibility of attacks using vulnerability CVE-2019-0211 and published a research report. So I'll let you know.
At the time of writing this report (April 25, 2019), the Apache Software Foundation has released a version of the vulnerability that has been fixed (as of April 1, 2019). However, the attack is easy, the attack code has been made public, the impact on the system is large when attacked, and the target is Apache HTTP Server, which has a large market share as an HTTP server. As a critical vulnerability, our security research group verified its reproducibility.
【overview】
A vulnerability (CVE-2019-0211) that allows local privilege escalation in Apache HTTP Server and attack code that exploits the vulnerability have been discovered. This vulnerability occurs because Apache HTTP Server does not perform bounds checks on child processes when it restarts. This allows privilege escalation on the system.
An attacker would need valid logon information for the system to exploit this vulnerability.
In a system where the Apache HTTP Server parent process is running with root privileges, if an attacker somehow gains access as a general user on the system, he or she can exploit this vulnerability to gain administrator privileges. There is a possibility that As a result, there is a risk that the system may be operated with administrator privileges and important information may be altered or stolen.
In addition, in shared hosting services that use Apache HTTP Server, which is affected by the vulnerability, if the hosting user exploits this vulnerability, other users of the hosting service may also be compromised. There is a gender.
[Systems that may be affected]
・Apache HTTP Server versions from 2.4.17 to 2.4.38
[Countermeasures]
At the time of writing this report (April 25, 2019), the Apache Software Foundation has released a version that fixes this vulnerability. We recommend that you upgrade to a version that fixes the vulnerability.
▼Click here for details.
https://www.softbanktech.co.jp/special/cve/2019/0001/
Contact information for inquiries from media regarding this matter
○ SoftBank Technology Corp. Corporate Planning Department Corporate Communication Group
Email: sbt-pr@tech.softbank.co.jp