Bugzilla – Bug 1097664
VUL-0: CVE-2018-12026, CVE-2018-12027, CVE-2018-12028: rubygem-passenger: SpawningKit exploits
Last modified: 2018-06-14 12:47:01 UTC
[CVE-2018-12026 - CVE-2018-12027 - CVE-2018-12028] SpawningKit exploits
Continuing our security investigation, we found a few vulnerabilities in SpawningKit, affecting Passenger versions 5.3.0 - 5.3.1. SpawningKit is subsystem in Passenger responsible for spawning application processes, and it has gotten a major overhaul in version 5.3.0. However this overhaul introduced new vulnerabilities, which allow a malicious app to cause:
a local DoS on the system, or
a local privilege escalation, or
a local information disclosure
Malicious users on the same system, other than the app's user, could use race conditions to make Passenger connect to (and forward traffic to) arbitrary sockets.
In the first case a malicious app could report its PID incorrectly, then fail to start at which point Passenger would kill the PID regardless of who owned it.
In the second and third case, reads and writes to arbitrary file paths could be induced by replacing specific path elements with symlinks.
In the last case if any of the parent directories of the app socket dir is writable by another user (Joe) that is not the app's user (Jane), then Joe can swap that directory with contents he controls. That way, Joe can cause Passenger to connect to (and forward Jane's traffic to) a process that does not actually belong to Jane.
We mitigate these issues with extra permission checks, by using symlink-resistant I/O operations, and by insisting that any sockets must be created inside the instance directory's app's subdirectory. As well as by not killing the PID returned by the preloader unless we have verified that it is indeed genuine (owned by the app user).
Spawning Error Reporting
During the Handshake step of spawning an app, we ensure that more kinds of spawning exceptions contain environment variable information. This will help us detect bugs or security attacks in the future.
bug 1097655 was opened already
*** This bug has been marked as a duplicate of bug 1097655 ***