Nginx Privilege Escalation Vulnerability
- Date Published:2016-11-22
- Last Updated:2016-11-22
- Version Affected: Nginx
- CVE: CVE-2016-1247
On November 15th, 2016, Dawid Golunski discovered that there is privilege escalation vulnerability (CVE-2016-1247) in Nginx. When Nginx creates log directories with insecure permissions, the vulnerability may be exploited by malicious local attackers to escalate their privileges from Nginx/Web user(www-data) to root. Nginx web server package on Debian-based distributions such as Debian or Ubuntu will be affected.
First, attackers must gain access to www-data account, and then use scripts to replace the log files with malicious files. When Nginx daemon re-opens the log files, attackers can escalate privileges to root.
The following information will display if the vulnerability is successfully exploited:
After attacking a web application hosted on Nginx server, attackers can take advantage of this vulnerability to escalate default privilege(www-data) to root, so as to fully control the system.
Except the following versions and later versions, all other versions have been affected:
Debian: Fixed in Nginx 1.6.2-5+deb8u3
Ubuntu: Fixed in the following Nginx versions:
Ubuntu 16.04 LTS: 1.10.0-0ubuntu0.16.04.3
Ubuntu 14.04 LTS: 1.4.6-1ubuntu3.6
Ubuntu 16.10: 1.10.1-0ubuntu1.1
This vulnerability has been publicized in official security announcements of Debian and Ubuntu. Therefore, you can perform system updates to update Nginx to the latest version: