couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Samuel Newson <rnew...@apache.org>
Subject CVE-2016-8742 Apache CouchDB local privilege escalation on Windows
Date Thu, 08 Dec 2016 10:52:39 GMT
Severity: High

Vendor:
The Apache Software Foundation

Versions Affected:
CouchDB 2.0.0 (Windows platform only)

Description:

The Windows installer that the Apache CouchDB team provides is vulnerable to local privilege
escalation. All files in the install inherit the file permissions of the parent directory
and therefore a non-privileged user can substitute any executable for the nssm.exe service
launcher, or CouchDB batch or binary files. A subsequent service or server restart will then
run that binary with administrator privilege.

We have replaced the 2.0.0 .msi file on our website with a fixed version and deleted the vulnerable
one.

The new installer can be downloaded at https://dl.bintray.com/apache/couchdb/win/2.0.0.1/apache-couchdb-2.0.0.1.msi

Mitigation:

The recommended remediation is to uninstall CouchDB 2.0.0 and install CouchDB 2.0.0.1. This
will set the permissions correctly on the target directory, preventing replacement of binaries
by unauthorized users.

If an upgrade cannot be performed, the following steps will secure an existing CouchDB 2.0.0
installation:

1. In Windows Explorer, navigate to the CouchDB installation folder. Right click on the folder
and select Properties.
2. In the Properties window, select the Security tab, and click on the Advanced button.
3. In the Advanced Security Settings window, click the Change Permissions... button.
4. Ensure only the following settings are listed, removing any other entries:
   Allow - Users - Read & Execute
   Allow - SYSTEM - Full control
   Allow - Administrators - Full control
5. Check the "Replace all child object permissions with inheritable permissions from this
object."
6. Click OK three times to close all dialog boxes.

Credit:

This issue was reported by John Page aka hyp3rlinx.
Mime
View raw message