| 1 |
Hi, |
| 2 |
|
| 3 |
I don't have any objections regarding the change of the default tmpfiles |
| 4 |
provider but I would like to classify the vulnerability: |
| 5 |
|
| 6 |
On 2020-11-25 22:57, Georgy Yakovlev wrote: |
| 7 |
> In case you don't know, opentmpfiles has an open CVE CVE-2017-18925: |
| 8 |
> root privilege escalation by symlink attack |
| 9 |
> https://github.com/OpenRC/opentmpfiles/issues/4 It has been an issue |
| 10 |
> for quite a while, reported 3 years ago, and not much changed since. |
| 11 |
|
| 12 |
Don't get scared by 'root privilege escalation': *Any* problem in *any* |
| 13 |
tmpfiles provider will *always* allow for root privilege escalation |
| 14 |
because this service is run by root early at boot. |
| 15 |
|
| 16 |
In theory you could create a user for this service but you would need |
| 17 |
CAP_DAC_OVERRIDE privileges which would again allow for root privilege |
| 18 |
escalation. |
| 19 |
|
| 20 |
Regarding CVE-2017-18925 itself: First you have to understand that |
| 21 |
anyone can request a CVE and that it isn't CNA's job to verify your |
| 22 |
report. That's it, having a CVE doesn't mean that a problem was |
| 23 |
confirmed. A CVE is just an identifier which should allow anyone who |
| 24 |
want to talk about the same problem to do that. For example when we file |
| 25 |
bug 123 in bugs.gentoo.org and Fedora would have the same package and |
| 26 |
experience the same issue they would file bug 456 in their bug tracker |
| 27 |
-- the goal of a CVE is just to connect information regarding the same |
| 28 |
issue -- in this example, the CVE would get references to Gentoo's bug |
| 29 |
123 and Fedora's bug 456. |
| 30 |
|
| 31 |
The bug itself is about a race condition. This race condition is real. |
| 32 |
|
| 33 |
However, the impact is questionable: tmpfiles service will only process |
| 34 |
files from |
| 35 |
|
| 36 |
/etc/tmpfiles.d/*.conf |
| 37 |
/run/tmpfiles.d/*.conf |
| 38 |
/usr/lib/tmpfiles.d/*.conf |
| 39 |
|
| 40 |
Only root is allowed to write to these directories. In other words: To |
| 41 |
exploit this, a malicious local user (or a remote attacker who already |
| 42 |
gained user access) would have to trick root into creating specially |
| 43 |
crafted tmpfiles config allowing for race conditions first (according to |
| 44 |
the 10 immutable laws of security, if this is already possible, you are |
| 45 |
already lost). |
| 46 |
|
| 47 |
If root doesn't install any tmpfiles config which will create such a |
| 48 |
race condition and if package maintainer will take care that their |
| 49 |
packages won't do the same, you are fine. |
| 50 |
|
| 51 |
Rule of thumb: Just make sure that you only create top level |
| 52 |
directories. If something already exists, error out. Because whenever |
| 53 |
you try to work in a directory where any other user is able to write to |
| 54 |
at the same time, you are always vulnerable to such a race condition |
| 55 |
(that's why you should have a second level for actual user data and keep |
| 56 |
first level for ACL handling -- the service user must only be allowed to |
| 57 |
pass through this directory). |
| 58 |
|
| 59 |
|
| 60 |
PS: Just to avoid any misunderstandings: OpenTmpfiles should of course |
| 61 |
try to fix/avoid this problem if possible. Security is a layered process |
| 62 |
(like an onion) and having multiple safe-guards is always a good thing. |
| 63 |
|
| 64 |
|
| 65 |
-- |
| 66 |
Regards, |
| 67 |
Thomas Deutschmann / Gentoo Security Team |
| 68 |
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives