CVE-2016-1247
Description
The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before 1.10.1-0ubuntu1.1 on Ubuntu 16.10, and the nginx ebuild before 1.10.2-r3 on Gentoo allow local users with access to the web server user account to gain root privileges via a symlink attack on the error log.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Nginx (Debian Based Distros + Gentoo) - 'logrotate' Local Privilege Escalation
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| arch | fixed | 1.11.8-2 | |
| debian | bookworm | fixed | 1.10.2-1 |
| debian | bullseye | fixed | 1.10.2-1 |
| debian | forky | fixed | 1.10.2-1 |
| debian | sid | fixed | 1.10.2-1 |
| debian | trixie | fixed | 1.10.2-1 |
| debian | 8.0 | not-affected | |
| ubuntu | 16.10 | not-affected | |
| ubuntu | 16.04 | not-affected | |
| ubuntu | 14.04 | not-affected | |
| fedora | 33 | affected | |
| fedora | 34 | affected | |
| fedora | 35 | affected | |
References
- https://www.suse.com/security/cve/CVE-2016-1247.html
- https://security.archlinux.org/ASA-201701-24
- https://security.archlinux.org/ASA-201701-23
- http://packetstormsecurity.com/files/139750/Nginx-Debian-Based-Distros-Root-Privilege-Escalation.html
- http://seclists.org/fulldisclosure/2016/Nov/78
- http://seclists.org/fulldisclosure/2017/Jan/33
- http://www.debian.org/security/2016/dsa-3701
- http://www.securityfocus.com/archive/1/539796/100/0/threaded
- http://www.securityfocus.com/bid/93903
- http://www.securitytracker.com/id/1037104
- http://www.ubuntu.com/usn/USN-3114-1
- https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBIZEKHBOCKO7FUMCO4X53ENMWU5OYFX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ESTIADC7BDB6VTH4JAP6C6OCW2CQ4NHP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P3WOO7E5R2HT5XVOIOFPEFALILVOWZUF/
- https://security.gentoo.org/glsa/201701-22
- https://www.exploit-db.com/exploits/40768/
- https://www.youtube.com/watch?v=aTswN1k1fQs
- https://security-tracker.debian.org/tracker/CVE-2016-1247
CWEs
CWE-59
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.