Bug 1182777 (CVE-2021-25316)

Summary:	VUL-0: CVE-2021-25316: s390-tools: Local DoS of VM live migration due to use of static tmp files in detach_disks.sh
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Wolfgang Frisch <wolfgang.frisch>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P4 - Low	CC:	atoptsoglou, hannsj_uhl, ihno, jsegitz, meissner, wolfgang.frisch
Version:	unspecified
Target Milestone:	---
Hardware:	S/390-64
OS:	Other
URL:	https://smash.suse.de/issue/278588/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-25316:6.1:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:
Bug Blocks:	1180877

Description Wolfgang Frisch 2021-02-25 18:03:40 UTC

+++ This bug was initially created as a clone of Bug #1180877 +++

In openSUSE:Factory/s390-tools/detach_disks.sh, predictable /tmp files are used.

```
COOKIE=$(mcookie)
DASDFILE=/tmp/dasd.list.${COOKIE}
DETFILE=/tmp/detach.disks.${COOKIE}
KEEPFILE=/tmp/keep.disks.${COOKIE}
NICFILE=/tmp/nic.list.${COOKIE}
FAILFILE=/tmp/error.${COOKIE}
```

The cookie is an unpredictable 32 character hash. However, since the script does not create all temp files at once, we can watch /tmp with inotify, get the cookie from the first created file, and predict the remaining paths.

Example run of detach_disks.sh, logged with `inotifywait -m -e create /tmp/`:
```
/tmp/ CREATE dasd.list.ce4955d2133c9c6e425791e39af56340
/tmp/ CREATE detach.disks.ce4955d2133c9c6e425791e39af56340
/tmp/ CREATE keep.disks.ce4955d2133c9c6e425791e39af56340
/tmp/ CREATE nic.list.ce4955d2133c9c6e425791e39af56340
```

Steps to reproduce:
As root:
- configure ZVM_DISKS_TO_DETACH in /etc/sysconfig/virtsetup
  e.g. ZVM_DISKS_TO_DETACH="1"
- mkdir /test
- touch /test/shadow

As an unprivileged user:
- Run the attached `PoC-detach_disks.py`

As root:
- /usr/lib/systemd/scripts/detach_disks.sh

Consequences:
- If fs.protected_symlinks = 1 (default on SLE),
  the unprivileged user can deny the service of detach_disks.sh.
- If fs.protected_symlinks = 0,
  the unprivileged user can overwrite arbitrary files.

Comment 1 Wolfgang Frisch 2021-02-25 18:04:19 UTC

Created attachment 846546 [details]
PoC-detach_disks.py

Comment 2 Wolfgang Frisch 2021-02-25 18:10:59 UTC

One solution would be to confine all the temp files in a securely created temporary directory, e.g. with tmpdir=$(mktemp -d /tmp/detach_disks.XXXXXX).

Comment 4 Mark Post 2021-02-26 20:37:23 UTC

I am considering making the following change. It should eliminate any possibility of "guessing" the filenames that are being created. Let me know what you think.
--- detach_disks.sh.20160524	2016-05-24 15:14:19.000000000 -0400
+++ detach_disks.sh	2021-02-26 10:36:50.946676687 -0500
@@ -1,11 +1,10 @@
 #!/bin/sh
 
-COOKIE=$(mcookie)
-DASDFILE=/tmp/dasd.list.${COOKIE}
-DETFILE=/tmp/detach.disks.${COOKIE}
-KEEPFILE=/tmp/keep.disks.${COOKIE}
-NICFILE=/tmp/nic.list.${COOKIE}
-FAILFILE=/tmp/error.${COOKIE}
+DASDFILE=/tmp/dasd.list.${mcookie}
+DETFILE=/tmp/detach.disks.${mcookie}
+KEEPFILE=/tmp/keep.disks.${mcookie}
+NICFILE=/tmp/nic.list.${mcookie}
+FAILFILE=/tmp/error.${mcookie}
 
 function expand_RANGE(){
 local RANGE=${1}

Comment 6 Wolfgang Frisch 2021-02-28 21:32:30 UTC

(In reply to Mark Post from comment #4)
> I am considering making the following change. It should eliminate any
> possibility of "guessing" the filenames that are being created. Let me know
> what you think.
> --- detach_disks.sh.20160524	2016-05-24 15:14:19.000000000 -0400
> +++ detach_disks.sh	2021-02-26 10:36:50.946676687 -0500
> @@ -1,11 +1,10 @@
>  #!/bin/sh
>  
> -COOKIE=$(mcookie)
> -DASDFILE=/tmp/dasd.list.${COOKIE}
> -DETFILE=/tmp/detach.disks.${COOKIE}
> -KEEPFILE=/tmp/keep.disks.${COOKIE}
> -NICFILE=/tmp/nic.list.${COOKIE}
> -FAILFILE=/tmp/error.${COOKIE}
> +DASDFILE=/tmp/dasd.list.${mcookie}
> +DETFILE=/tmp/detach.disks.${mcookie}
> +KEEPFILE=/tmp/keep.disks.${mcookie}
> +NICFILE=/tmp/nic.list.${mcookie}
> +FAILFILE=/tmp/error.${mcookie}
>  
>  function expand_RANGE(){
>  local RANGE=${1}

Thanks for the quick reaction.

This is OK in principal but there's a typo in the suggested changes: It should be $(mcookie) instead of ${mcookie}, which refers to a non-existent variable.

The standard `mktemp` utility would be an acceptable alternative, e.g.:
DASDFILE=$(/tmp/dasd.list.XXXXXX)

Comment 7 Wolfgang Frisch 2021-02-28 21:33:13 UTC

DASDFILE=$(mktemp /tmp/dasd.list.XXXXXX)

Comment 8 Mark Post 2021-02-28 23:22:39 UTC

(In reply to Wolfgang Frisch from comment #6)
-snip-
> This is OK in principal but there's a typo in the suggested changes: It
> should be $(mcookie) instead of ${mcookie}, which refers to a non-existent
> variable.

Argh. You're right, of course.

Comment 9 OBSbugzilla Bot 2021-03-01 00:10:06 UTC

This is an autogenerated message for OBS integration:
This bug (1182777) was mentioned in
https://build.opensuse.org/request/show/875842 Factory / s390-tools

Comment 11 Johannes Segitz 2021-03-01 09:24:10 UTC

Please use CVE-2021-25316 for this

Comment 13 OBSbugzilla Bot 2021-03-01 16:50:07 UTC

This is an autogenerated message for OBS integration:
This bug (1182777) was mentioned in
https://build.opensuse.org/request/show/876032 Factory / s390-tools

Comment 16 OBSbugzilla Bot 2021-03-08 23:20:07 UTC

This is an autogenerated message for OBS integration:
This bug (1182777) was mentioned in
https://build.opensuse.org/request/show/877835 Factory / s390-tools

Comment 18 Mark Post 2021-03-09 21:19:32 UTC

Could you remove 1180877 from the "Depends on" for this bug? I can't mark it resolved with that there, and I can't remove it, either. Thanks.

Comment 19 Johannes Segitz 2021-03-10 06:53:09 UTC

Done. Leaving the needinfo for Wolfgang.

@Wolfgang: If you clone the bug bugzilla creates (for us) nonsensical relationships. You need to adjust it so that the new bug blocks the parent bug so that the closed bugs can be closed before we close the tracker bug

Comment 20 Mark Post 2021-03-10 17:16:30 UTC

Updated packages have been submitted to openSUSE:Factory, SLE-12-SP5, and SLE-15-SP2.

Comment 21 Mark Post 2021-03-10 17:19:08 UTC

Updated package has been submitted to SLE-15-SP3 as well.

Comment 22 Alexandros Toptsoglou 2021-03-11 10:07:45 UTC

(In reply to Mark Post from comment #21)
> Updated package has been submitted to SLE-15-SP3 as well.

Please do not resolve security bugs, instead assign back to security team when you are done for a final review.

Comment 23 Swamp Workflow Management 2021-03-12 20:17:31 UTC

SUSE-SU-2021:0776-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1182777,1182876,1183041
CVE References: CVE-2021-25316
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    s390-tools-2.1.0-18.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 24 Swamp Workflow Management 2021-03-12 20:25:18 UTC

SUSE-SU-2021:0777-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1176574,1182777,1182876,1183040
CVE References: CVE-2021-25316
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    s390-tools-2.11.0-9.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Wolfgang Frisch 2021-04-19 16:33:51 UTC

Released!