#VU13991 Improper access control in Phusion Passenger - CVE-2018-12028

Cybersecurity Help s.r.o.

Published: 2018-07-24

Vulnerability identifier: #VU13991

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-12028

CWE-ID: CWE-284

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Phusion Passenger
Server applications / Application servers

Vendor: Phusion B.V.

Description

The vulnerability allows a local attacker to bypass security restrictions.

The vulnerability exists due to improper access control in the SpawningKit subsystem of the affected software. A local attacker can use Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an error, it would cause Passenger's process manager to kill said reported arbitrary PID.

Mitigation
Update to version 5.3.2.

Vulnerable software versions

Phusion Passenger: 5.3.0 - 5.3.1

External links
https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Passenger

Multiple vulnerabilities in Phusion Passenger