Bug 1148788 (CVE-2019-3687)

Summary: VUL-0: CVE-2019-3687: permissions: easy profile allows everyone execute dumpcap and read all network traffic
Product: [Novell Products] SUSE Security Incidents Reporter: Malte Kraus <malte.kraus>
Component: AuditsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: fcrozat, fvogt, meissner, sbrabec, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/241427
Whiteboard: CVSSv2:NVD:CVE-2019-3687:1.9:(AV:L/AC:M/Au:N/C:P/I:N/A:N) CVSSv3.1:NVD:CVE-2019-3687:3.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv3.1:SUSE:CVE-2019-3687:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Malte Kraus 2019-08-29 12:26:23 UTC
The 'easy' profile specifies some file capabilities for /usr/bin/dumpcap and a 0755 mode, allowing any user on a system with wireshark installed to read all network traffic. (The 'secure' profile correctly has 0750 mode to limit execution to members of the 'wireshark' group, and the 'paranoid' profile doesn't specify any capabilities for the file.)

(While the permissions package also has the same definitions in Leap/SLE, this only affects Tumbleweed since the wireshark package in those codestreams doesn't create the 'wireshark' group or call chkstat on the dumpcap binary.)
Comment 2 Swamp Workflow Management 2019-08-30 15:10:06 UTC
This is an autogenerated message for OBS integration:
This bug (1148788) was mentioned in
https://build.opensuse.org/request/show/727267 Factory / permissions
Comment 3 Fabian Vogt 2019-09-18 11:52:56 UTC
I noticed this a while ago and assumed it was a feature...
Comment 9 Swamp Workflow Management 2020-02-28 20:16:33 UTC
SUSE-SU-2020:0547-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1148788,1160594,1160764,1161779,1163922
CVE References: CVE-2019-3687,CVE-2020-8013
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    permissions-20181116-9.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-03-04 23:12:53 UTC
openSUSE-SU-2020:0302-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1148788,1160594,1160764,1161779,1163922
CVE References: CVE-2019-3687,CVE-2020-8013
Sources used:
openSUSE Leap 15.1 (src):    permissions-20181116-lp151.4.12.1
Comment 11 Stanislav Brabec 2020-04-13 04:07:58 UTC
What is the security improvement of the update?

The binary had no SUID bit. It had 755, now it has 750.

Any user with executable mount of /home /vat/tmp or /tmp (the default installation) can easily work-around this change by:

cp -a /usr/bin/wireshark .
extract dumpcap from rpm
PATH=.:$PATH wireshark -k -i -

Actually, the update causes new troubles. I need to watch packets on my router. In past, it was possible to dump remote traffic without local root or wireshark group permission via:

ssh root@openwrt.lan "tcpdump -i br-lan -U -s0 -w - port not 22" |
  wireshark -k -i -

Now it is not possible.
Comment 12 Malte Kraus 2020-04-14 09:52:51 UTC
Hi Stanislav,

in your example command you run wireshark, but this change was only about 'dumpcap' - a tool very similar to tcpdump in that example. So I am wondering if it wasn't a different change breaking your workflow.

Now to your question:

The dumpcap binary is installed with the cap_net_raw and cap_net_admin capabilities - executing it allows reading all network traffic on the system. In a world where everything used only properly encrypted and authenticated protocols, this may be fine (well there'd still be metadata leaks), but unfortunately we live in a world where plenty of software relies on "trusted" networks.

Your copy instructions don't include setting file capabilities, so they don't recreate the insecure state - and setting file capabilities would require root privileges.
Comment 13 Frederic Crozat 2020-12-15 13:14:09 UTC
This change makes virtually wireshark unusable when running as a user (SLES15 SP2 + Workstation extension), unless the user is manually part of wireshark group, which is not discoverable if you check specfile or rpm changelog :(

dumpcap doesn't have the needed permissions to run as root and there is no way for the end-user to specify "I have the rights to do network capture" in the GUI (I remember GTK version of wireshark could be started by a root wrapper, which isn't great either, since it means the full GUI was running as root).

Fedora workarounds the issue by adding a specific group and an error message for it ( https://src.fedoraproject.org/rpms/wireshark/blob/master/f/wireshark-0002-Customize-permission-denied-error.patch ). Maybe we should include this change.
Comment 14 Marcus Meissner 2020-12-15 14:43:42 UTC
back to proactive
Comment 15 Matthias Gerstner 2020-12-16 10:57:49 UTC
A sensible error message should be provided indeed. I created a separate bug
1180102 for our wireshark maintainer to take care of this.
Comment 16 Matthias Gerstner 2020-12-29 12:40:07 UTC
Removing AUDIT tag since this is not really an AUDIT and also the original
VUL-0 bug should not be reused for the usability issue. Please use bug 1180102
for this.
Comment 17 Wolfgang Frisch 2020-12-29 13:37:14 UTC
Comment 18 OBSbugzilla Bot 2021-11-17 15:40:30 UTC
This is an autogenerated message for OBS integration:
This bug (1148788) was mentioned in
https://build.opensuse.org/request/show/931965 15.3 / permissions
Comment 19 Swamp Workflow Management 2021-12-02 20:18:13 UTC
openSUSE-SU-2021:1520-1: An update that solves three vulnerabilities and has 27 fixes is now available.

Category: security (moderate)
Bug References: 1028975,1029961,1093414,1133678,1148788,1150345,1150366,1151190,1157498,1160285,1160764,1161335,1161779,1163588,1167163,1169614,1171164,1171173,1171569,1171580,1171686,1171879,1171882,1173221,1174504,1175720,1175867,1178475,1178476,1183669
CVE References: CVE-2019-3687,CVE-2019-3688,CVE-2020-8013
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    permissions-20200127-lp153.24.3.1