Bug 1563858 (CVE-2018-10545) - CVE-2018-10545 php: Dumpable FPM child processes allow bypassing opcache access controls
Summary: CVE-2018-10545 php: Dumpable FPM child processes allow bypassing opcache acce...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-10545
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1563859 1563860 1598571 1598572 1598573
Blocks: 1563865
TreeView+ depends on / blocked
 
Reported: 2018-04-04 23:09 UTC by Laura Pardo
Modified: 2019-09-29 14:35 UTC (History)
6 users (show)

Fixed In Version: php 5.6.35, php 7.0.29, php 7.1.16, php 7.2.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-19 08:47:08 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2519 None None None 2019-08-19 08:42:26 UTC

Description Laura Pardo 2018-04-04 23:09:18 UTC
A flaw was found in PHP versions 5.6 and 7.x. After changing UID and GID, PHP-FPM sets pool worker processes to be dumpable. This allows a local user with the same UID and GID to attach to the PHP-FPM workers and gain access to any restricted resources that are not supposed to be allowed. As a result sensitive configuration data for other accounts can be accessed directly in the PHP worker process's memory.


References:
https://bugs.php.net/bug.php?id=75605

Patch:
https://bugs.php.net/patch-display.php?bug_id=75605&patch=bug75605-patch-for-5-6&revision=latest
https://bugs.php.net/patch-display.php?bug_id=75605&patch=bug75605-patch-for-7-0&revision=latest

Comment 1 Laura Pardo 2018-04-04 23:10:13 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1563860]

Comment 9 Scott Gayou 2018-07-05 20:25:53 UTC
Statement:

Red Hat Product Security has rated this issue as having a security impact of Low, and a future update may address this flaw.

Comment 10 Scott Gayou 2018-07-06 16:26:34 UTC
PHP's opcache contains sensitive shared memory used to cache php bytecode. This memory pool is shared by children of the php-fpm process (workers) who are spawned by root then change uid/guid to another user. When this happens, the dumpable process flag gets set back to /proc/sys/fs/suid_dumpable (0).

php-fpm needs to be able to ptrace these processes for functionality related reasons. However, as php-fpm already runs as root, setting this flag is redundant and has the side-effect of allowing lower privileged users to dump the worker processes which can contain sensitive memory.

For example, if a php-fpm worker spawned as apache:apache, the apache user could then ptrace the process and get access to other workers memory via the opcache. Exploiting this would require already being on the system -- shared hosting seems like the most obvious case.

Here's a vulnerable php-fpm with a worker running as apache:

bash-4.2$ whoami
apache
bash-4.2$ ps
  PID TTY          TIME CMD
27985 pts/0    00:00:00 php-fpm
27986 pts/0    00:00:00 php-fpm
27987 pts/0    00:00:00 php-fpm
27988 pts/0    00:00:00 php-fpm
27989 pts/0    00:00:00 php-fpm
27993 pts/0    00:00:00 bash
27995 pts/0    00:00:00 ps
bash-4.2$ gcore 27989
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
0x00007f3b0ecdcb40 in __accept_nocancel () from /lib64/libc.so.6
Saved corefile core.27989

Here's a run after I patched it as user nobody:

bash-4.2$ whoami
nobody
bash-4.2$ ps
  PID TTY          TIME CMD
27821 pts/1    00:00:00 php-fpm
27822 pts/1    00:00:00 php-fpm
27831 pts/1    00:00:00 bash
27842 pts/1    00:00:00 ps
bash-4.2$ gcore 27822
ptrace: Operation not permitted.
You can't do that without a process to debug.
The program is not being run.
gcore: failed to create core.27822

So before we can dump as the user, after we cannot.

Comment 11 errata-xmlrpc 2019-08-19 08:41:04 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:2519 https://access.redhat.com/errata/RHSA-2019:2519

Comment 12 Product Security DevOps Team 2019-08-19 08:47:08 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-10545


Note You need to log in before you can comment on or make changes to this bug.