Bug 875826 - (CVE-2014-0185) VUL-1: CVE-2014-0185: php53: php-fpm: privilege escalation due to insecure default config
(CVE-2014-0185)
VUL-1: CVE-2014-0185: php53: php-fpm: privilege escalation due to insecure de...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.2
: P3 - Medium : Normal
: ---
Assigned To: Petr Gajdos
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-30 11:54 UTC by Alexander Bergmann
Modified: 2019-06-17 22:47 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-04-30 11:54:10 UTC
-------- Original message --------
Betreff: [vs] php-fpm: privilege escalation due to insecure default config
Datum: Tue, 15 Apr 2014 21:49:57 +0200
Von: Christian Hoffmann <mail@...fmann-christian.info>
An: distros@...openwall.org

Hi,

PHP FPM is the FastCGI Process Manager for PHP which can manage several
pools of PHP FastCGI processors, often running with different user
permissions for privilege separation. Web servers connect to these pools
through one socket per configured process pool.

When using UNIX sockets, the socket's permissions default to 0666 if not
overriden explicitly ("listen.mode"). This is true even if the owner of
the socket is changed explicitly ("listen.user", "listen.group").

Depending on the concrete scenario, this may result in privilege escalation.
Any local user with the ability to connect to UNIX sockets can run
arbitrary (PHP) code with the target process pool's permissions [1].

Ubuntu 14.04 Beta's default config seems to be vulnerable, any local
user can run code as the 'www-data' user [2]. Other versions or
distributions have not been tested, but may well be vulnerable, too.

This issue is both about the example config [3] and the actual code [4].

No CVE has been requested by me or the PHP team (AFAIK) so far.

Stanislav Malyshev from the PHP team has prepared a patch [5], which
will be part of php-5.4.28.

This issue is not public yet. Suggested embargo date: 2014-04-29

References (some still marked private at the time of writing):

[1] https://bugs.php.net/bug.php?id=67060
[2] https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1307027
[3] https://github.com/php/php-src/blob/php-5.5.11/sapi/fpm/php-fpm.conf.in#L172
[4] https://github.com/php/php-src/blob/php-5.5.11/sapi/fpm/fpm/fpm_unix.c#L31
[5] https://hoffmann-christian.info/files/php-fpm/0001-Fix-bug-67060-use-default-mode-of-660.patch

Kind regards,

Christian Hoffmann
--------

CVE-2014-0185 was assigned to this issue.
Comment 1 Swamp Workflow Management 2014-04-30 12:04:43 UTC
The SWAMPID for this issue is 57163.
This issue was rated as moderate.
Please submit fixed packages until 2014-05-14.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 SMASH SMASH 2014-04-30 12:05:13 UTC
Affected packages:

SLE-11-SP3: php53
Comment 3 Alexander Bergmann 2014-04-30 12:13:42 UTC
This also affects openSUSE:12.3 and openSUSE:13.1.
Comment 4 Swamp Workflow Management 2014-04-30 22:00:20 UTC
bugbot adjusting priority
Comment 5 Petr Gajdos 2014-05-06 08:53:02 UTC
Small warning from php-security:

---------------
Le 15/04/2014 20:21, Stas Malyshev a écrit :
> Hi!
> 
> Attached is a patch for FPM that changes the mode for FPM to 660.

I think this patch is going to break a lot of running configuration
where people run a frontend (apache, nginx, ...) to connect to one or
various fpm backend, running on different accounts and rely on default perm.

This vulnerability requires a local account, and shared hosting couldn't
be really secured...

Having to run 1 frontend for each backend kills all the benefits of fpm
(multi-pool, start in demand, ...)


Remi.
------------------------

And follow up:

---------------------
Hi!

> I think this patch is going to break a lot of running configuration
> where people run a frontend (apache, nginx, ...) to connect to one or
> various fpm backend, running on different accounts and rely on default perm.

You are right, but this should be trivially fixable, and in any case,
separating accounts which have access to the socket from those who do
not may be a good idea. Of course, it does not provide airtight
security, but it does make default config more robust. I.e. right now if
somebody runs FPM with default setting, any user on that machine has
access to any users running under FPM, even though people may not
realize that. I think such thing should be made as explicit decision,
not by default.
If you want to run setup with 666, you can, but you have to tell that
explici

> Having to run 1 frontend for each backend kills all the benefits of fpm
> (multi-pool, start in demand, ...)

But this patch does not prevent you from putting mode 666 there, it just
changes the default. If you know what you're doing you still can. But I
think there is place for the argument that default should be more secure
setting, not less secure.
----------------
Comment 7 Petr Gajdos 2014-05-07 12:12:48 UTC
Submitted into factory and sle12.
Comment 9 Petr Gajdos 2014-05-09 09:26:57 UTC
Packages have been submitted.
Comment 11 Marcus Meissner 2014-05-09 15:06:06 UTC
FWIW, we currently do not ship php53-fpm on SLES 11 SP3 ...
Comment 12 Marcus Meissner 2014-05-09 15:08:25 UTC
$ is_maintained php53-fpm 
<empty>
$
Comment 13 Petr Gajdos 2014-05-12 08:11:39 UTC
Thanks, I'll remove this fixes from there then.
Reassign back to me to not forgot.
Comment 14 Johannes Segitz 2014-05-23 10:53:40 UTC
we do not ship FPM yet and it is fixed in Factory and SLE 12
Comment 15 Petr Gajdos 2014-05-23 13:18:07 UTC
Submitted to 12.3 a 13.1 again.
Comment 16 Swamp Workflow Management 2014-06-12 15:05:37 UTC
openSUSE-SU-2014:0784-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 868624,875826,880904,880905
CVE References: CVE-2014-0185,CVE-2014-0237,CVE-2014-0238,CVE-2014-2497
Sources used:
openSUSE 13.1 (src):    php5-5.4.20-8.2
openSUSE 12.3 (src):    php5-5.3.17-3.12.2
openSUSE 12.2 (src):    php5-5.3.15-1.25.1
Comment 17 Swamp Workflow Management 2014-06-12 19:04:33 UTC
openSUSE-SU-2014:0786-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 868624,875826,880904,880905
CVE References: CVE-2014-0185,CVE-2014-0237,CVE-2014-0238,CVE-2014-2497
Sources used:
openSUSE 11.4 (src):    php5-5.3.5-363.2