Vulnerability CVE-2018-12029

Vulnerability Name:

CVE-2018-12029 (CCN-144985)

Assigned:

2018-06-13

Published:

2018-06-13

Updated:

2019-03-08

Summary:

A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.

CVSS v3 Severity:

7.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.3 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-362

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2018-12029

Source: CCN
Type: Phusion Blog, June 12th, 2018
Passenger 5.3.2: various security fixes

Source: MISC
Type: Mitigation, Vendor Advisory
https://blog.phusion.nl/passenger-5-3-2

Source: XF
Type: UNKNOWN
phusion-cve201812029-priv-esc(144985)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20180627 [SECURITY] [DLA 1399-1] ruby-passenger security update

Source: MISC
Type: Third Party Advisory
https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc

Source: GENTOO
Type: Third Party Advisory
GLSA-201807-02

Source: CCN
Type: Phusion Web site
Passenger - Enterprise grade web app server for Ruby, Node.js, Python

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-12029

Vulnerable Configuration:

Configuration 1:

cpe:/a:phusion:passenger:*:*:*:*:*:*:*:* (Version >= 3.0.0 and < 5.3.2)

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:phusion:passenger:5.3.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201812029	V	CVE-2018-12029	2022-06-30
oval:org.opensuse.security:def:113396	P	ruby2.7-rubygem-passenger-6.0.8-3.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106801	P	Security update for libsndfile (Important)	2022-01-11
oval:org.opensuse.security:def:38065	P	Security update for OpenEXR (Moderate)	2021-12-01
oval:org.opensuse.security:def:39271	P	Security update for opensc (Important)	2021-10-29
oval:org.opensuse.security:def:13886	P	libapr-util1-1.5.3-1.46 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14078	P	alsa-1.0.27.2-15.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13998	P	pam_krb5-2.4.4-4.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14729	P	perl-Config-IniFiles-2.82-3.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13869	P	libXRes1-1.0.7-3.53 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14067	P	xorg-x11-libs-7.6-45.14 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13905	P	libgssglue1-0.4-3.76 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14091	P	autofs-5.0.9-27.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14023	P	radvd-1.9.7-2.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14751	P	python3-3.4.6-25.16.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13822	P	ft2demos-2.6.3-7.8.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13754	P	xlockmore-5.43-5.33 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13732	P	syslog-service-2.0-778.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13724	P	socat-1.7.2.4-1.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:38122	P	Security update for djvulibre (Important)	2021-05-19
oval:org.opensuse.security:def:37743	P	binutils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37964	P	libsqlite3-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37731	P	apache2-mod_jk on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38480	P	screen on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38547	P	apache2-mod_perl on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38372	P	libspice-client-glib-2_0-8 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37732	P	apache2-mod_nss on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39229	P	raptor on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37827	P	java-1_7_1-ibm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38519	P	xf86-video-intel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38212	P	guestfs-data on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38591	P	fetchmail on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38431	P	pam-modules on GA media (Moderate)	2020-12-01
oval:com.ubuntu.bionic:def:2018120290000000	V	CVE-2018-12029 on Ubuntu 18.04 LTS (bionic) - medium.	2018-06-17
oval:com.ubuntu.artful:def:201812029000	V	CVE-2018-12029 on Ubuntu 17.10 (artful) - medium.	2018-06-17
oval:com.ubuntu.xenial:def:201812029000	V	CVE-2018-12029 on Ubuntu 16.04 LTS (xenial) - medium.	2018-06-17
oval:com.ubuntu.xenial:def:2018120290000000	V	CVE-2018-12029 on Ubuntu 16.04 LTS (xenial) - medium.	2018-06-17
oval:com.ubuntu.bionic:def:201812029000	V	CVE-2018-12029 on Ubuntu 18.04 LTS (bionic) - medium.	2018-06-17
oval:com.ubuntu.disco:def:2018120290000000	V	CVE-2018-12029 on Ubuntu 19.04 (disco) - medium.	2018-06-17
oval:com.ubuntu.cosmic:def:201812029000	V	CVE-2018-12029 on Ubuntu 18.10 (cosmic) - medium.	2018-06-17
oval:com.ubuntu.cosmic:def:2018120290000000	V	CVE-2018-12029 on Ubuntu 18.10 (cosmic) - medium.	2018-06-17
oval:com.ubuntu.trusty:def:201812029000	V	CVE-2018-12029 on Ubuntu 14.04 LTS (trusty) - medium.	2018-06-17

BACK