Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wNzQ0LTRxNnAtaHZjMs4AAzSb
Wings vulnerable to escape to host from installation container
Impact
This vulnerability impacts anyone running the affected versions of Wings. This vulnerability can be used to gain access to the host system running Wings if a user is able to modify an server's install script or the install script executes code supplied by the user (either through environment variables, or commands that execute commands based off of user data).
Patches
This vulnerability has been resolved in version v1.11.6 of Wings, and has been back-ported to the 1.7 release series in v1.7.5.
Anyone running v1.11.x should upgrade to v1.11.6 and anyone running v1.7.x should upgrade to v1.7.5.
Workarounds
Running Wings with a rootless container runtime may mitigate the severity of any attacks, however the majority of users are using container runtimes that run as root as per our documentation.
SELinux may prevent attackers from performing certain operations against the host system, however privileged containers have a lot of freedom even on systems with SELinux enabled.
TL;DR: None at this time.
Extra details
It should be noted that this was a known attack vector, for attackers to easily exploit this attack it would require compromising an administrator account on a Panel. However, certain eggs (the data structure that holds the install scripts that get passed to Wings) have an issue where they are unknowingly executing shell commands with escalated privileges provided by untrusted user data.
Permalink: https://github.com/advisories/GHSA-p744-4q6p-hvc2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNzQ0LTRxNnAtaHZjMs4AAzSb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 12 months ago
Updated: 6 months ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-p744-4q6p-hvc2, CVE-2023-32080
References:
- https://github.com/pterodactyl/wings/security/advisories/GHSA-p744-4q6p-hvc2
- https://nvd.nist.gov/vuln/detail/CVE-2023-32080
- https://github.com/pterodactyl/wings/releases/tag/v1.11.6
- https://github.com/pterodactyl/wings/releases/tag/v1.7.5
- https://github.com/pterodactyl/wings/releases/tag/v1.17.5
- https://github.com/advisories/GHSA-p744-4q6p-hvc2
Blast Radius: 2.7
Affected Packages
go:github.com/pterodactyl/wings
Dependent packages: 0Dependent repositories: 2
Downloads:
Affected Version Ranges: >= 1.11.0, < 1.11.6, < 1.7.5
Fixed in: 1.11.6, 1.7.5
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5
All unaffected versions: 1.7.5, 1.11.6, 1.11.7, 1.11.8, 1.11.9, 1.11.10, 1.11.11, 1.11.12