Urgent security issue in NGINX/php-fpm - CVE-2019-11043

Any word on updates / recommended steps we need to take regarding Mail-in-a-Box / NextCloud?

2 Likes

Waiting for ubuntu to update php7.2-fpm in 18.04. The ngnix patch might help in the short term.

Reading thru the POC exploit [1] and maybe safe for now. Not sure the ngnix on miab is running the right config.

[1] https://github.com/neex/phuip-fpizdam

Hi all. I will look into this today.

For now, the safest route is to block all web access to your boxes. The easiest way is to use the firewall to block all web accesses by logging in with SSH (same as usual for maintenance) and running:

sudo ufw insert 1 deny 443

This will block access to webmail, Exchange/ActiveSync, contacts and calendar (via the web and syncing), and the control panel.

To undo the block (e.g. after we issue a patch or decide the vulnerability does not affect Mail-in-a-Box), you can run:

sudo ufw delete deny 443

(Port 443 is https. There is no need to block port 80 (http) because we only serve redirects on that port.)

We’ll use this thread to discuss what Mail-in-a-Box users should do. A parallel discussion is happening on GitHub at https://github.com/mail-in-a-box/mailinabox/issues/1663 about whether we need to make changes to Mail-in-a-Box and post an updated version.

2 Likes

@JoshData When I run your firewall command I get this error:

root@box:~# sudo ufw insert 0 deny 443
ERROR: Cannot insert rule at position '0'

should be 1, not 0 (works on mine placing it at the top of the list)

sudo ufw insert 1 deny 443

Thanks, sorry, I copy-pasted my incorrect attempt from my terminal instead of the correct one. I will update the post.

Glad I said something. I almost assumed someone was probably already looking into it.

BTW, is the Mail-in-a-Box update server down now while you investigate this? It seems to have stopped responding around the time you initially responded to this, @JoshData. I was about to update to 0.43 :smiley:

Thanks for the awesome effort

Yes.

1 Like

After some research and discussion on the GitHub issue linked above, several of us believe that Mail-in-a-Box is not likely impacted by the vulnerability: We haven’t been able to replicate the vulnerability on Mail-in-a-Box boxes, but at the same time we’re simply not sure.

The best fix is a patch from the maintainers of the buggy software (PHP, via Ubuntu), and so I think we will wait a few days for that, rather than trying to fix something ourselves that we’re not even sure applies to us. Information on an Ubuntu patch is forthcoming at https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11043.html in the php7.2 section.

In the meanwhile, you’ll all have to make a determination for yourselves if you want to keep your box safe by blocking port 443 or not.

I’ll post again once Ubuntu has published the patch, or before if there’s more information. It’s likely Mail-in-a-Box boxes will pick up the patch automatically since we install security updates automatically, once it’s published.

1 Like

Hi all. Ubuntu has now posted an updated package that fixes the vulnerability. (As I mentioned above, no one that’s looked closely thinks Mail-in-a-Box was affected, but it was difficult to know for sure.)

I believe the updated package will get installed automatically tonight, since Mail-in-a-Box turns on automatic security updates. So if you haven’t taken any action yet, your best bet is probably to keep doing nothing, but tomorrow check that the package actually updated (see below).

To install the updated package now, log in to your box with SSH and run:

sudo apt update && sudo apt install php7.2-fpm

After installing, or if you think it’s been installed automatically, check that you have the fixed version by running:

sudo apt list php7.2-fpm

The first line of the output should be exactly:

php7.2-fpm/bionic-updates,bionic-security,now 7.2.24-0ubuntu0.18.04.1 amd64 [installed]

The important part is the version number which should be exactly 7.2.24-0ubuntu0.18.04.1.

If you used the firewall to block web access, you should turn that off now (using the instructions in an earlier post).

5 Likes

Thank you very much for your timeliness of staying on top of this.

2 Likes

Here is the changelog from the updated package.

nic@box:~$ zcat /usr/share/doc/php7.2-fpm/changelog.Debian.gz | head -20
php7.2 (7.2.24-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: updated to 7.2.24 to fix security issue
    - CVE-2019-11043
  * Rebased patches:
    - debian/patches/0022-lp564920-fix-big-files.patch
  * Removed patches no longer required:
    - debian/patches/CVE-2019-11041.patch
    - debian/patches/CVE-2019-11042.patch

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 28 Oct 2019 08:07:07 -0400
1 Like

https://mailinabox.email is back up.

Alright, just completed:
apt-get update && apt-get upgrade

and:
sudo apt list -a php7.2-fpm

shows:

Listing... Done
php7.2-fpm/bionic-updates,bionic-security,now 7.2.24-0ubuntu0.18.04.1 amd64 [installed,automatic]
php7.2-fpm/bionic 7.2.3-1ubuntu1 amd64

Again, many thanks to everyone!!!

I can confirm that the packages will be auto upgraded without issues:

Unattended upgrade returned: True

Packages that were upgraded:
php7.2 php7.2-cli php7.2-common php7.2-curl php7.2-dev php7.2-fpm
php7.2-gd php7.2-imap php7.2-intl php7.2-json php7.2-mbstring
php7.2-opcache php7.2-pspell php7.2-readline php7.2-soap
php7.2-sqlite3 php7.2-xml php7.2-zip

Any tips for us still on 14.04 Box?
Thanks!

Yeah, migrate to 18.04. For those still on 14.04 won’t get any security patches or software fixes, so your installs will be vulnerable. If this vulnerability affects 14.04.

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.