Bug 1097664 - VUL-0: CVE-2018-12026, CVE-2018-12027, CVE-2018-12028: rubygem-passenger: SpawningKit exploits
VUL-0: CVE-2018-12026, CVE-2018-12027, CVE-2018-12028: rubygem-passenger: Spa...
Status: RESOLVED DUPLICATE of bug 1097655
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P5 - None : Normal
: ---
Assigned To: Jordi Massaguer
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2018-06-14 12:44 UTC by Alexander Bergmann
Modified: 2018-06-14 12:47 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-06-14 12:44:23 UTC

[CVE-2018-12026 - CVE-2018-12027 - CVE-2018-12028] SpawningKit exploits

Continuing our security investigation, we found a few vulnerabilities in SpawningKit, affecting Passenger versions 5.3.0 - 5.3.1. SpawningKit is subsystem in Passenger responsible for spawning application processes, and it has gotten a major overhaul in version 5.3.0. However this overhaul introduced new vulnerabilities, which allow a malicious app to cause:

    a local DoS on the system, or
    a local privilege escalation, or
    a local information disclosure

Malicious users on the same system, other than the app's user, could use race conditions to make Passenger connect to (and forward traffic to) arbitrary sockets.

In the first case a malicious app could report its PID incorrectly, then fail to start at which point Passenger would kill the PID regardless of who owned it.

In the second and third case, reads and writes to arbitrary file paths could be induced by replacing specific path elements with symlinks.

In the last case if any of the parent directories of the app socket dir is writable by another user (Joe) that is not the app's user (Jane), then Joe can swap that directory with contents he controls. That way, Joe can cause Passenger to connect to (and forward Jane's traffic to) a process that does not actually belong to Jane.

We mitigate these issues with extra permission checks, by using symlink-resistant I/O operations, and by insisting that any sockets must be created inside the instance directory's app's subdirectory. As well as by not killing the PID returned by the preloader unless we have verified that it is indeed genuine (owned by the app user).
Spawning Error Reporting

During the Handshake step of spawning an app, we ensure that more kinds of spawning exceptions contain environment variable information. This will help us detect bugs or security attacks in the future.
Comment 1 Alexander Bergmann 2018-06-14 12:47:01 UTC
bug 1097655 was opened already

*** This bug has been marked as a duplicate of bug 1097655 ***