|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2019-3687: permissions: easy profile allows everyone execute dumpcap and read all network traffic | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Malte Kraus <malte.kraus> |
| Component: | Audits | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | fcrozat, fvogt, meissner, sbrabec, wolfgang.frisch |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/241427 | ||
| Whiteboard: | CVSSv2:NVD:CVE-2019-3687:1.9:(AV:L/AC:M/Au:N/C:P/I:N/A:N) CVSSv3.1:NVD:CVE-2019-3687:3.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv3.1:SUSE:CVE-2019-3687:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Malte Kraus
2019-08-29 12:26:23 UTC
This is an autogenerated message for OBS integration: This bug (1148788) was mentioned in https://build.opensuse.org/request/show/727267 Factory / permissions I noticed this a while ago and assumed it was a feature... SUSE-SU-2020:0547-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1148788,1160594,1160764,1161779,1163922 CVE References: CVE-2019-3687,CVE-2020-8013 Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): permissions-20181116-9.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-SU-2020:0302-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1148788,1160594,1160764,1161779,1163922 CVE References: CVE-2019-3687,CVE-2020-8013 Sources used: openSUSE Leap 15.1 (src): permissions-20181116-lp151.4.12.1 What is the security improvement of the update? The binary had no SUID bit. It had 755, now it has 750. Any user with executable mount of /home /vat/tmp or /tmp (the default installation) can easily work-around this change by: cp -a /usr/bin/wireshark . extract dumpcap from rpm PATH=.:$PATH wireshark -k -i - Actually, the update causes new troubles. I need to watch packets on my router. In past, it was possible to dump remote traffic without local root or wireshark group permission via: ssh root@openwrt.lan "tcpdump -i br-lan -U -s0 -w - port not 22" | wireshark -k -i - Now it is not possible. Hi Stanislav, in your example command you run wireshark, but this change was only about 'dumpcap' - a tool very similar to tcpdump in that example. So I am wondering if it wasn't a different change breaking your workflow. Now to your question: The dumpcap binary is installed with the cap_net_raw and cap_net_admin capabilities - executing it allows reading all network traffic on the system. In a world where everything used only properly encrypted and authenticated protocols, this may be fine (well there'd still be metadata leaks), but unfortunately we live in a world where plenty of software relies on "trusted" networks. Your copy instructions don't include setting file capabilities, so they don't recreate the insecure state - and setting file capabilities would require root privileges. This change makes virtually wireshark unusable when running as a user (SLES15 SP2 + Workstation extension), unless the user is manually part of wireshark group, which is not discoverable if you check specfile or rpm changelog :( dumpcap doesn't have the needed permissions to run as root and there is no way for the end-user to specify "I have the rights to do network capture" in the GUI (I remember GTK version of wireshark could be started by a root wrapper, which isn't great either, since it means the full GUI was running as root). Fedora workarounds the issue by adding a specific group and an error message for it ( https://src.fedoraproject.org/rpms/wireshark/blob/master/f/wireshark-0002-Customize-permission-denied-error.patch ). Maybe we should include this change. back to proactive A sensible error message should be provided indeed. I created a separate bug 1180102 for our wireshark maintainer to take care of this. Removing AUDIT tag since this is not really an AUDIT and also the original VUL-0 bug should not be reused for the usability issue. Please use bug 1180102 for this. Released. This is an autogenerated message for OBS integration: This bug (1148788) was mentioned in https://build.opensuse.org/request/show/931965 15.3 / permissions openSUSE-SU-2021:1520-1: An update that solves three vulnerabilities and has 27 fixes is now available. Category: security (moderate) Bug References: 1028975,1029961,1093414,1133678,1148788,1150345,1150366,1151190,1157498,1160285,1160764,1161335,1161779,1163588,1167163,1169614,1171164,1171173,1171569,1171580,1171686,1171879,1171882,1173221,1174504,1175720,1175867,1178475,1178476,1183669 CVE References: CVE-2019-3687,CVE-2019-3688,CVE-2020-8013 JIRA References: Sources used: openSUSE Leap 15.3 (src): permissions-20200127-lp153.24.3.1 |