Severity: High Vendor: The Apache Software Foundation
Versions Affected: CouchDB 2.0.0 (Windows platform only) Description: The Windows installer that the Apache CouchDB team provides is vulnerable to local privilege escalation. All files in the install inherit the file permissions of the parent directory and therefore a non-privileged user can substitute any executable for the nssm.exe service launcher, or CouchDB batch or binary files. A subsequent service or server restart will then run that binary with administrator privilege. We have replaced the 2.0.0 .msi file on our website with a fixed version and deleted the vulnerable one. The new installer can be downloaded at https://dl.bintray.com/apache/couchdb/win/2.0.0.1/apache-couchdb-2.0.0.1.msi Mitigation: The recommended remediation is to uninstall CouchDB 2.0.0 and install CouchDB 2.0.0.1. This will set the permissions correctly on the target directory, preventing replacement of binaries by unauthorized users. If an upgrade cannot be performed, the following steps will secure an existing CouchDB 2.0.0 installation: 1. In Windows Explorer, navigate to the CouchDB installation folder. Right click on the folder and select Properties. 2. In the Properties window, select the Security tab, and click on the Advanced button. 3. In the Advanced Security Settings window, click the Change Permissions... button. 4. Ensure only the following settings are listed, removing any other entries: Allow - Users - Read & Execute Allow - SYSTEM - Full control Allow - Administrators - Full control 5. Check the "Replace all child object permissions with inheritable permissions from this object." 6. Click OK three times to close all dialog boxes. Credit: This issue was reported by John Page aka hyp3rlinx.
