Bugzilla – Bug 875826
VUL-1: CVE-2014-0185: php53: php-fpm: privilege escalation due to insecure default config
Last modified: 2019-06-17 22:47:26 UTC
-------- Original message -------- Betreff: [vs] php-fpm: privilege escalation due to insecure default config Datum: Tue, 15 Apr 2014 21:49:57 +0200 Von: Christian Hoffmann <mail@...fmann-christian.info> An: distros@...openwall.org Hi, PHP FPM is the FastCGI Process Manager for PHP which can manage several pools of PHP FastCGI processors, often running with different user permissions for privilege separation. Web servers connect to these pools through one socket per configured process pool. When using UNIX sockets, the socket's permissions default to 0666 if not overriden explicitly ("listen.mode"). This is true even if the owner of the socket is changed explicitly ("listen.user", "listen.group"). Depending on the concrete scenario, this may result in privilege escalation. Any local user with the ability to connect to UNIX sockets can run arbitrary (PHP) code with the target process pool's permissions [1]. Ubuntu 14.04 Beta's default config seems to be vulnerable, any local user can run code as the 'www-data' user [2]. Other versions or distributions have not been tested, but may well be vulnerable, too. This issue is both about the example config [3] and the actual code [4]. No CVE has been requested by me or the PHP team (AFAIK) so far. Stanislav Malyshev from the PHP team has prepared a patch [5], which will be part of php-5.4.28. This issue is not public yet. Suggested embargo date: 2014-04-29 References (some still marked private at the time of writing): [1] https://bugs.php.net/bug.php?id=67060 [2] https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1307027 [3] https://github.com/php/php-src/blob/php-5.5.11/sapi/fpm/php-fpm.conf.in#L172 [4] https://github.com/php/php-src/blob/php-5.5.11/sapi/fpm/fpm/fpm_unix.c#L31 [5] https://hoffmann-christian.info/files/php-fpm/0001-Fix-bug-67060-use-default-mode-of-660.patch Kind regards, Christian Hoffmann -------- CVE-2014-0185 was assigned to this issue.
The SWAMPID for this issue is 57163. This issue was rated as moderate. Please submit fixed packages until 2014-05-14. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Affected packages: SLE-11-SP3: php53
This also affects openSUSE:12.3 and openSUSE:13.1.
bugbot adjusting priority
Small warning from php-security: --------------- Le 15/04/2014 20:21, Stas Malyshev a écrit : > Hi! > > Attached is a patch for FPM that changes the mode for FPM to 660. I think this patch is going to break a lot of running configuration where people run a frontend (apache, nginx, ...) to connect to one or various fpm backend, running on different accounts and rely on default perm. This vulnerability requires a local account, and shared hosting couldn't be really secured... Having to run 1 frontend for each backend kills all the benefits of fpm (multi-pool, start in demand, ...) Remi. ------------------------ And follow up: --------------------- Hi! > I think this patch is going to break a lot of running configuration > where people run a frontend (apache, nginx, ...) to connect to one or > various fpm backend, running on different accounts and rely on default perm. You are right, but this should be trivially fixable, and in any case, separating accounts which have access to the socket from those who do not may be a good idea. Of course, it does not provide airtight security, but it does make default config more robust. I.e. right now if somebody runs FPM with default setting, any user on that machine has access to any users running under FPM, even though people may not realize that. I think such thing should be made as explicit decision, not by default. If you want to run setup with 666, you can, but you have to tell that explici > Having to run 1 frontend for each backend kills all the benefits of fpm > (multi-pool, start in demand, ...) But this patch does not prevent you from putting mode 666 there, it just changes the default. If you know what you're doing you still can. But I think there is place for the argument that default should be more secure setting, not less secure. ----------------
Submitted into factory and sle12.
Packages have been submitted.
FWIW, we currently do not ship php53-fpm on SLES 11 SP3 ...
$ is_maintained php53-fpm <empty> $
Thanks, I'll remove this fixes from there then. Reassign back to me to not forgot.
we do not ship FPM yet and it is fixed in Factory and SLE 12
Submitted to 12.3 a 13.1 again.
openSUSE-SU-2014:0784-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 868624,875826,880904,880905 CVE References: CVE-2014-0185,CVE-2014-0237,CVE-2014-0238,CVE-2014-2497 Sources used: openSUSE 13.1 (src): php5-5.4.20-8.2 openSUSE 12.3 (src): php5-5.3.17-3.12.2 openSUSE 12.2 (src): php5-5.3.15-1.25.1
openSUSE-SU-2014:0786-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 868624,875826,880904,880905 CVE References: CVE-2014-0185,CVE-2014-0237,CVE-2014-0238,CVE-2014-2497 Sources used: openSUSE 11.4 (src): php5-5.3.5-363.2