Bug 1097655 - (CVE-2018-12026) VUL-0: CVE-2018-12026 CVE-2018-12027 CVE-2018-12028: rubygem-passenger: SpawningKit exploits
VUL-0: CVE-2018-12026 CVE-2018-12027 CVE-2018-12028: rubygem-passenger: Spawn...
: 1097664 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Manuel Schnitzer
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2018-06-14 12:21 UTC by Marcus Meissner
Modified: 2018-06-19 04:42 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-06-14 12:21:25 UTC


Version 5.3.2 of the Passenger application server for Ruby, Node.js, Meteor and Python has been released. This release contains fixes for 4 CVEs and we urge you to upgrade.
[CVE-2018-12029] CHMOD race vulnerability

The Pulse Security team discovered a vulnerability in Passenger.

The file system access race condition allows for local privilege escalation and affects the Nginx module for Passenger versions 5.3.1, all the way back to 3.0.0 (the chown command entered the code in 2010).

The vulnerability was exploitable only when running a non-standard
passenger_instance_registry_dir, via a race condition where after a file was created, there was a window in which it could be replaced with a symlink before it was chowned via the path and not the file descriptor.

If the symlink target was to a file which would be executed by root such as root's crontab file, then privilege escalation was possible.

This is now mitigated by using fchmod().
Improved security warnings for various directories

We recognized that CVE-2018-12029 could be an indication of a larger class of similar vulnerabilities, so we immediately started investigating our codebase for other vulnerabilities. We found that a lot of security properties depend on the security of various directories that the user configured Passenger to use. Therefore, we've introduced more security checks into Passenger.

We now check the permissions on the instance registry directory in the same way we already check the Passenger root directory. If the instance registry directory is not secure, that can result in arbitrary file overwrites so it's good practice to fix these warnings if you see them.
[CVE-2018-12026 - CVE-2018-12027 - CVE-2018-12028] SpawningKit exploits

Continuing our security investigation, we found a few vulnerabilities in SpawningKit, affecting Passenger versions 5.3.0 - 5.3.1. SpawningKit is subsystem in Passenger responsible for spawning application processes, and it has gotten a major overhaul in version 5.3.0. However this overhaul introduced new vulnerabilities, which allow a malicious app to cause:

    a local DoS on the system, or
    a local privilege escalation, or
    a local information disclosure

Malicious users on the same system, other than the app's user, could use race conditions to make Passenger connect to (and forward traffic to) arbitrary sockets.

In the first case a malicious app could report its PID incorrectly, then fail to start at which point Passenger would kill the PID regardless of who owned it.

In the second and third case, reads and writes to arbitrary file paths could be induced by replacing specific path elements with symlinks.

In the last case if any of the parent directories of the app socket dir is writable by another user (Joe) that is not the app's user (Jane), then Joe can swap that directory with contents he controls. That way, Joe can cause Passenger to connect to (and forward Jane's traffic to) a process that does not actually belong to Jane.

We mitigate these issues with extra permission checks, by using symlink-resistant I/O operations, and by insisting that any sockets must be created inside the instance directory's app's subdirectory. As well as by not killing the PID returned by the preloader unless we have verified that it is indeed genuine (owned by the app user).
Comment 1 Alexander Bergmann 2018-06-14 12:46:15 UTC
CVE-2018-12029 has its own bug report as it affects different code and versions.

See bsc#1097663.
Comment 2 Alexander Bergmann 2018-06-14 12:47:01 UTC
*** Bug 1097664 has been marked as a duplicate of this bug. ***
Comment 3 Manuel Schnitzer 2018-06-15 05:38:47 UTC
The following CVE's don't affect us:


Shall we close this bug as CVE-2018-12029 has its own bug?
Comment 4 Marcus Meissner 2018-06-15 05:54:14 UTC