SB2018072403 - Gentoo update for Passenger

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018072403

SB2018072403 - Gentoo update for Passenger

Published: July 24, 2018

Security Bulletin ID SB2018072403
Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Privilege escalation (CVE-ID: CVE-2018-12026)

The vulnerability allows a local attacker to gain elevated privileges.

The vulnerability exists due to the SpawningKit subsystem of the affected software allows applications to replace key files or directories in the spawning communication directory with symbolic links. A local attacker can create a symbolic link designed to submit malicious input to a targeted system, execute read and write commands on arbitrary file paths on the system and use it to gain elevated privileges or access sensitive information.


2) Information disclosure (CVE-ID: CVE-2018-12027)

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists due to insufficient security restrictions imposed on the SpawningKit subsystem. When an application process that is managed by the affected software reports that it is listening on a certain UNIX domain socket, and the parent directories of the application socket are writable by users other than the user of the application, a local attacker can swap a directory with attacker-controlled contents, redirect traffic to an attacker-controlled process via an alternative, attacker-controlled UNIX domain socket and use it to access sensitive information. 


3) Improper access control (CVE-ID: CVE-2018-12028)

The vulnerability allows a local attacker to bypass security restrictions.

The vulnerability exists due to improper access control in the SpawningKit subsystem of the affected software. A local attacker can use Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an error, it would cause Passenger's process manager to kill said reported arbitrary PID.


4) Race condition (CVE-ID: CVE-2018-12029)

The vulnerability allows a local attacker to gain elevated privileges.

The vulnerability exists due to a race condition that could occur when a non-standard passenger_instance_registry_dir setting  n the Nginx moduleis configured with insufficient permissions. A local attacker can replace a file with a symbolic link after the file has been created before the file has changed ownershipto gain elevated privileges on the system if the target of the symbolic link is a file that can be executed as root, such as the crontab file.


Remediation

Install update from vendor's website.

References