CVE-2020-13938 Overview
CVE-2020-13938 is a Missing Authorization vulnerability (CWE-862) affecting Apache HTTP Server versions 2.4.0 through 2.4.46 running on Microsoft Windows. This flaw allows unprivileged local users to stop the httpd service, resulting in a denial of service condition. The vulnerability stems from insufficient access control checks on service management operations, enabling any local user—regardless of privilege level—to terminate the web server process.
Critical Impact
Unprivileged local users can cause a denial of service by stopping the Apache HTTP Server on Windows systems, potentially disrupting web services and dependent applications.
Affected Products
- Apache HTTP Server versions 2.4.0 to 2.4.46 (on Windows)
- McAfee ePolicy Orchestrator (multiple versions including 5.10.0 and updates 1-12)
- NetApp Cloud Backup
- Microsoft Windows (as the affected operating system platform)
Discovery Timeline
- 2021-06-10 - CVE-2020-13938 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-13938
Vulnerability Analysis
This vulnerability represents a Missing Authorization flaw in Apache HTTP Server's Windows service management functionality. The root cause lies in the insufficient privilege validation when processing service control requests on Windows platforms. When Apache httpd is installed as a Windows service, the service control mechanisms fail to properly verify that the requesting user has appropriate administrative privileges before allowing service stop operations.
The attack requires local access to the affected Windows system, meaning an attacker must have the ability to execute commands on the target machine. However, no elevated privileges are required—any standard user account can exploit this vulnerability. The impact is limited to availability, as the vulnerability does not enable unauthorized data access or system modification beyond service disruption.
Root Cause
The vulnerability exists due to improper access control implementation in the Apache HTTP Server's Windows service handling code. The service management interface does not adequately enforce authorization checks, allowing users without administrative privileges to issue stop commands to the httpd service. This represents a violation of the principle of least privilege, where service control operations should be restricted to administrators or specifically authorized accounts.
Attack Vector
The attack vector is local, requiring the attacker to have authenticated access to the target Windows system. An unprivileged local user can exploit this vulnerability by issuing service control commands to stop the Apache HTTP Server. This could be accomplished through standard Windows service management interfaces or command-line utilities.
The attack does not require user interaction and has low complexity, making it trivial to execute once local access is obtained. While the vulnerability does not allow code execution or privilege escalation, the ability to disrupt web services can have significant operational impact, particularly in environments where Apache httpd serves critical applications or acts as a reverse proxy for backend services.
Detection Methods for CVE-2020-13938
Indicators of Compromise
- Unexpected Apache HTTP Server service stops on Windows systems, particularly when no maintenance is scheduled
- Service control events in Windows Event Log initiated by non-administrative user accounts
- Multiple service stop/start cycles indicating potential abuse or testing of the vulnerability
- User accounts with no legitimate reason accessing service control functions for Apache
Detection Strategies
- Monitor Windows Event Log for Service Control Manager events (Event ID 7036) related to Apache HTTP Server
- Implement alerts for service stops initiated by non-administrative user accounts using Windows Security Auditing
- Deploy endpoint detection solutions that monitor for unauthorized service management activities
- Correlate service disruption events with user login sessions to identify suspicious patterns
Monitoring Recommendations
- Enable Windows Security Auditing for service control events and forward logs to a centralized SIEM
- Configure alerts for Apache httpd service state changes outside of scheduled maintenance windows
- Monitor for repeated service stop attempts that could indicate exploitation or reconnaissance
- Track service availability metrics to quickly identify denial of service conditions
How to Mitigate CVE-2020-13938
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.47 or later, which contains the fix for this vulnerability
- Review and restrict local user access on systems running Apache HTTP Server on Windows
- Implement service control restrictions using Windows Group Policy to limit who can manage the Apache service
- Audit all user accounts with local access to affected systems and remove unnecessary accounts
Patch Information
Apache has released security patches addressing this vulnerability in Apache HTTP Server version 2.4.47 and later. Administrators should consult the Apache HTTP Server Security Vulnerabilities page for detailed patch information and upgrade instructions. Organizations using McAfee ePolicy Orchestrator should review the McAfee Security Bulletin SB10379 for specific guidance. NetApp customers should refer to the NetApp Advisory NTAP-20210702-0001 for affected product versions and remediation steps.
Workarounds
- Restrict local access to Windows servers running Apache HTTP Server to only essential administrative personnel
- Use Windows Local Security Policy or Group Policy to restrict service control permissions for the Apache service
- Implement application-level monitoring to automatically restart the Apache service if unexpectedly stopped
- Consider running Apache httpd under a dedicated service account with restricted permissions
# Windows command to restrict service permissions (run as Administrator)
# This restricts the Apache service control to Administrators only
sc sdset Apache2.4 "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
