Nginx Privilege Escalation Vulnerability

Summary

    On November 15th, 2016, Dawid Golunski discovered that there is privilege escalation vulnerability (CVE-2016-1247) in Nginx. When Nginx creates log directories with insecure permissions, the vulnerability may be exploited by malicious local attackers to escalate their privileges from Nginx/Web user(www-data) to root. Nginx web server package on Debian-based distributions such as Debian or Ubuntu will be affected.

    First, attackers must gain access to www-data account, and then use scripts to replace the log files with malicious files. When Nginx daemon re-opens the log files, attackers can escalate privileges to root. 

    The following information will display if the vulnerability is successfully exploited:

    blob.png

    IMPACTS

    After attacking a web application hosted on Nginx server, attackers can take advantage of this vulnerability to escalate default privilege(www-data) to root, so as to fully control the system. 

    SYSTEMS AFFECTED

    Except the following versions and later versions, all other versions have been affected: 

    Debian: Fixed in Nginx 1.6.2-5+deb8u3

    Ubuntu: Fixed in the following Nginx versions: 

        Ubuntu 16.04 LTS: 1.10.0-0ubuntu0.16.04.3

        Ubuntu 14.04 LTS: 1.4.6-1ubuntu3.6

        Ubuntu 16.10: 1.10.1-0ubuntu1.1

Solution

    This vulnerability has been publicized in official security announcements of Debian and Ubuntu. Therefore, you can perform system updates to update Nginx to the latest version: 

    https://www.debian.org/security/2016/dsa-3701 

    https://www.ubuntu.com/usn/usn-3114-1/