CVE-2018-12028 : Security Advisory and Response

A vulnerability was discovered in SpawningKit in Phusion Passenger 5.3.x versions earlier than 5.3.2, allowing a malicious application to manipulate child processes and falsely report PIDs to Passenger's process manager, potentially leading to unintended terminations.

Understanding CVE-2018-12028

What is CVE-2018-12028?

This CVE refers to an Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x versions before 5.3.2, enabling a malicious application to deceive Passenger's process manager about the PID of a child process.

The Impact of CVE-2018-12028

The vulnerability could result in the unintended termination of processes by Passenger's process manager if triggered by a malicious application.

Technical Details of CVE-2018-12028

Vulnerability Description

The vulnerability allows a Passenger-managed malicious application to report an arbitrary PID to Passenger's process manager, potentially leading to process termination upon error.

Affected Systems and Versions

Product: n/a
Vendor: n/a
Versions affected: Phusion Passenger 5.3.x versions earlier than 5.3.2

Exploitation Mechanism

The vulnerability enables a malicious application under Passenger's control to manipulate child processes and falsely report PIDs to the process manager.

Mitigation and Prevention

Immediate Steps to Take

Upgrade to Phusion Passenger version 5.3.2 or later to mitigate the vulnerability.
Monitor system logs for any unusual process terminations.

Long-Term Security Practices

Regularly update software and apply security patches promptly.
Implement access controls and monitoring mechanisms to detect unauthorized process manipulations.

Patching and Updates

Ensure timely installation of security updates and patches provided by Phusion to address the vulnerability.