Apache Web Server “Carpe Diem” vulnerability update

The Apache Foundation has patched a high severity privilege escalation vulnerability in Apache HTTP Server 2.4 (releases 2.4.17 to 2.4.38). Web servers should be patched as soon as possible since the bug could allow attackers a way to gain “root” or full admin access to the server.

The Apache vulnerability (CVE-2019-0211) dubbed “Carpe Diem” was reported to Apache on February 21 by a security researcher. A patch was made available on April 1st.

Apache summarized the vulnerability in recent security advisory:

“With MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.”

Security researcher Charles Fol described in a blog post on Wednesday details on the privilege escalation vulnerability he named CARPE (DIEM) (“Carpe Diem” is a latin phrase for “seize the day”).

Fol said the bug is triggered when Apache issues a “graceful restart” after the logrotate utility runs its restart command daily (6:25 AM to be exact), which is used to reset log file handles. Hence, the latin word “diem” (or day) was included in the name.

The vulnerability affects Multi-Processing Modules (MPMs) mod_prefork, mod_worker and mod_event. Fol provided a detailed walk through and exploit target on mod_prefork.

Windows systems are not affected, but a large number of Linux distributions were impacted.

Red Hat also released a statement as part of Bugzilla advisory (1694980):

“This flaw can only be exploited if users have access to upload and run untrusted scripts (PHP, CGI etc) on the web server. This kind of setup is very common in shared hosting environments etc.”

More updates will be shared after further analysis of the vulnerability and threat is made by vendors.