#VU13988 Information disclosure in Phusion Passenger - CVE-2018-12027

Cybersecurity Help s.r.o.

Published: 2018-07-23 | Updated: 2018-07-24

Vulnerability identifier: #VU13988

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-12027

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Phusion Passenger
Server applications / Application servers

Vendor: Phusion B.V.

Description

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists due to insufficient security restrictions imposed on the SpawningKit subsystem. When an application process that is managed by the affected software reports that it is listening on a certain UNIX domain socket, and the parent directories of the application socket are writable by users other than the user of the application, a local attacker can swap a directory with attacker-controlled contents, redirect traffic to an attacker-controlled process via an alternative, attacker-controlled UNIX domain socket and use it to access sensitive information.

Mitigation
Update to version 5.3.2.

Vulnerable software versions

Phusion Passenger: 5.3.0 - 5.3.1

External links
https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Passenger

Multiple vulnerabilities in Phusion Passenger