Bug 1015141 (CVE-2018-19044) - VUL-0: CVE-2018-19044,CVE-2018-19045,CVE-2018-19046, CVE-2018-19115: keepalived: dbus support in keepalived
Summary: VUL-0: CVE-2018-19044,CVE-2018-19045,CVE-2018-19046, CVE-2018-19115: keepaliv...
Status: RESOLVED FIXED
Alias: CVE-2018-19044
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv3:SUSE:CVE-2018-19044:7.8:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-12 14:19 UTC by Marcus Rückert
Modified: 2021-08-12 14:12 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Crasher for issue 1 (583 bytes, application/x-ruby)
2017-03-30 14:35 UTC, Johannes Segitz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Rückert 2016-12-12 14:19:11 UTC
I would like to enable dbus support in keepalived. which atm is blocked by the rpmlintrc check.

Code:
https://github.com/acassen/keepalived/

Service file:
https://github.com/acassen/keepalived/blob/master/keepalived/dbus/org.keepalived.Vrrp1.conf

any objections?
Comment 2 Johannes Segitz 2017-03-30 14:34:37 UTC
Making the bug private to the discuss the issues found.

1, Heap overflow when parsing HTTP responses

extract_status_code extracts the HTTP status codes from monitored servers. 
        /* Allocate the room */
        buf_code = (char *)MALLOC(10);

        /* Status-Code extraction */
        while (buffer < end && *buffer++ != ' ') ;
        begin = buffer;
        while (buffer < end && *buffer++ != ' ')
                inc++;
        strncat(buf_code, begin, inc);

So if the status code is longer then 9 bytes we run into a problem here. 

*** Error in `/usr/sbin/keepalived': free(): invalid pointer: 0x00000000006a76c0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7277f)[0x7fe12994577f]
/lib64/libc.so.6(+0x78026)[0x7fe12994b026]
/usr/sbin/keepalived[0x41ee13]
/usr/sbin/keepalived[0x40726c]
/usr/sbin/keepalived[0x40735c]
/usr/sbin/keepalived[0x41dbbd]
/usr/sbin/keepalived[0x40781b]
/usr/sbin/keepalived[0x403fa1]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7fe1298f4b25]
/usr/sbin/keepalived[0x40405a]
======= Memory map: ========
00400000-0043c000 r-xp 00000000 08:03 24382537                           /usr/sbin/keepalived
0063b000-0063c000 r--p 0003b000 08:03 24382537                           /usr/sbin/keepalived
0063c000-0063e000 rw-p 0003c000 08:03 24382537                           /usr/sbin/keepalived
0063e000-0063f000 rw-p 00000000 00:00 0
006a3000-006c4000 rw-p 00000000 00:00 0                                  [heap]
006c4000-006e6000 rw-p 00000000 00:00 0                                  [heap]
7fe128d84000-7fe128d9a000 r-xp 00000000 08:03 109576276                  /lib64/libgcc_s.so.1
7fe128d9a000-7fe128f99000 ---p 00016000 08:03 109576276                  /lib64/libgcc_s.so.1
7fe128f99000-7fe128f9a000 r--p 00015000 08:03 109576276                  /lib64/libgcc_s.so.1
7fe128f9a000-7fe128f9b000 rw-p 00016000 08:03 109576276                  /lib64/libgcc_s.so.1
7fe128f9b000-7fe12909b000 r-xp 00000000 08:03 109576372                  /lib64/libm-2.19.so
7fe12909b000-7fe12929a000 ---p 00100000 08:03 109576372                  /lib64/libm-2.19.so
7fe12929a000-7fe12929b000 r--p 000ff000 08:03 109576372                  /lib64/libm-2.19.so
7fe12929b000-7fe12929c000 rw-p 00100000 08:03 109576372                  /lib64/libm-2.19.so
7fe12929c000-7fe1292b4000 r-xp 00000000 08:03 109576328                  /lib64/libpthread-2.19.so
7fe1292b4000-7fe1294b3000 ---p 00018000 08:03 109576328                  /lib64/libpthread-2.19.so
7fe1294b3000-7fe1294b4000 r--p 00017000 08:03 109576328                  /lib64/libpthread-2.19.so
7fe1294b4000-7fe1294b5000 rw-p 00018000 08:03 109576328                  /lib64/libpthread-2.19.so
7fe1294b5000-7fe1294b9000 rw-p 00000000 00:00 0
7fe1294b9000-7fe1294ce000 r-xp 00000000 08:03 109576267                  /lib64/libz.so.1.2.8
7fe1294ce000-7fe1296cd000 ---p 00015000 08:03 109576267                  /lib64/libz.so.1.2.8
7fe1296cd000-7fe1296ce000 r--p 00014000 08:03 109576267                  /lib64/libz.so.1.2.8
7fe1296ce000-7fe1296cf000 rw-p 00015000 08:03 109576267                  /lib64/libz.so.1.2.8
7fe1296cf000-7fe1296d2000 r-xp 00000000 08:03 109576370                  /lib64/libdl-2.19.so
7fe1296d2000-7fe1298d1000 ---p 00003000 08:03 109576370                  /lib64/libdl-2.19.so
7fe1298d1000-7fe1298d2000 r--p 00002000 08:03 109576370                  /lib64/libdl-2.19.so
7fe1298d2000-7fe1298d3000 rw-p 00003000 08:03 109576370                  /lib64/libdl-2.19.so
7fe1298d3000-7fe129a71000 r-xp 00000000 08:03 109576339                  /lib64/libc-2.19.so
7fe129a71000-7fe129c71000 ---p 0019e000 08:03 109576339                  /lib64/libc-2.19.so
7fe129c71000-7fe129c75000 r--p 0019e000 08:03 109576339                  /lib64/libc-2.19.so
7fe129c75000-7fe129c77000 rw-p 001a2000 08:03 109576339                  /lib64/libc-2.19.so
7fe129c77000-7fe129c7b000 rw-p 00000000 00:00 0
7fe129c7b000-7fe129c97000 r-xp 00000000 08:03 24390723                   /usr/lib64/libnl-3.so.200.18.0
7fe129c97000-7fe129e96000 ---p 0001c000 08:03 24390723                   /usr/lib64/libnl-3.so.200.18.0
7fe129e96000-7fe129e98000 r--p 0001b000 08:03 24390723                   /usr/lib64/libnl-3.so.200.18.0
7fe129e98000-7fe129e99000 rw-p 0001d000 08:03 24390723                   /usr/lib64/libnl-3.so.200.18.0
7fe129e99000-7fe129e9e000 r-xp 00000000 08:03 24390725                   /usr/lib64/libnl-genl-3.so.200.18.0
7fe129e9e000-7fe12a09e000 ---p 00005000 08:03 24390725                   /usr/lib64/libnl-genl-3.so.200.18.0
7fe12a09e000-7fe12a09f000 r--p 00005000 08:03 24390725                   /usr/lib64/libnl-genl-3.so.200.18.0
7fe12a09f000-7fe12a0a0000 rw-p 00006000 08:03 24390725                   /usr/lib64/libnl-genl-3.so.200.18.0
7fe12a0a0000-7fe12a0ac000 r-xp 00000000 08:03 109576287                  /lib64/libcrypt-2.19.so
7fe12a0ac000-7fe12a2ab000 ---p 0000c000 08:03 109576287                  /lib64/libcrypt-2.19.so
7fe12a2ab000-7fe12a2ac000 r--p 0000b000 08:03 109576287                  /lib64/libcrypt-2.19.so
7fe12a2ac000-7fe12a2ad000 rw-p 0000c000 08:03 109576287                  /lib64/libcrypt-2.19.so
7fe12a2ad000-7fe12a2db000 rw-p 00000000 00:00 0
7fe12a2db000-7fe12a4a4000 r-xp 00000000 08:03 109576242                  /lib64/libcrypto.so.1.0.0
7fe12a4a4000-7fe12a6a4000 ---p 001c9000 08:03 109576242                  /lib64/libcrypto.so.1.0.0
7fe12a6a4000-7fe12a6be000 r--p 001c9000 08:03 109576242                  /lib64/libcrypto.so.1.0.0
7fe12a6be000-7fe12a6cb000 rw-p 001e3000 08:03 109576242                  /lib64/libcrypto.so.1.0.0
7fe12a6cb000-7fe12a6cf000 rw-p 00000000 00:00 0
7fe12a6cf000-7fe12a72d000 r-xp 00000000 08:03 109576332                  /lib64/libssl.so.1.0.0
7fe12a72d000-7fe12a92c000 ---p 0005e000 08:03 109576332                  /lib64/libssl.so.1.0.0
7fe12a92c000-7fe12a930000 r--p 0005d000 08:03 109576332                  /lib64/libssl.so.1.0.0
7fe12a930000-7fe12a937000 rw-p 00061000 08:03 109576332                  /lib64/libssl.so.1.0.0
7fe12a937000-7fe12a958000 r-xp 00000000 08:03 109576273                  /lib64/ld-2.19.so
7fe12aae4000-7fe12ab19000 r--s 00000000 00:15 18783                      /run/nscd/passwd
7fe12ab19000-7fe12ab1f000 rw-p 00000000 00:00 0
7fe12ab20000-7fe12ab21000 rw-p 00000000 00:00 0
7fe12ab21000-7fe12ab56000 r--s 00000000 00:15 18785                      /run/nscd/dbQgXrem (deleted)
7fe12ab56000-7fe12ab57000 rw-p 00000000 00:00 0
7fe12ab57000-7fe12ab58000 r--p 00020000 08:03 109576273                  /lib64/ld-2.19.so
7fe12ab58000-7fe12ab59000 rw-p 00021000 08:03 109576273                  /lib64/ld-2.19.so
7fe12ab59000-7fe12ab5a000 rw-p 00000000 00:00 0
7ffd81e57000-7ffd81e78000 rw-p 00000000 00:00 0                          [stack]
7ffd81e7b000-7ffd81e7d000 r--p 00000000 00:00 0                          [vvar]
7ffd81e7d000-7ffd81e7f000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Comment 3 Johannes Segitz 2017-03-30 14:35:35 UTC
Created attachment 719340 [details]
Crasher for issue 1

run the ruby script and configure keepalived with:

virtual_server 127.0.0.1 8080 {
    delay_loop 6
    lb_algo rr
    lb_kind NAT
    persistence_timeout 50
    protocol TCP

    real_server 127.0.0.1 8080 {
        weight 1
        HTTP_GET {
            url {
              path /
              digest ff20ad2481f97b1754ef3e12ecd3a9cc
            }
            url {
              path /mrtg/
              digest 9b3a0c85a887a256d6939da88aabd8cd
            }
            connect_timeout 3
            nb_get_retry 3
            delay_before_retry 3
        }
    }
}
Comment 4 Matthias Gerstner 2018-03-14 12:53:43 UTC
The bug found in comment 2 is not very promising.

Has this been fixed upstream, or reported to upstream at all?

Johannes, could you take care of this? Would be a shame to keep your finding a
secret ;-)

Otherwise I think we can close the bug until we have a more robust version
available that can be re-audited.
Comment 5 Johannes Segitz 2018-10-19 07:28:34 UTC
(In reply to Matthias Gerstner from comment #4)
shame on me. I sent this to upstream but didn't get a reaction. I'll try again with github issues and then we can close this
Comment 6 Johannes Segitz 2018-10-24 14:07:01 UTC
(In reply to Johannes Segitz from comment #2)
The issue is fixed upstream in f28015671a4b04785859d1b4b1327b367b6a10e9
Comment 7 Johannes Segitz 2018-10-25 15:11:59 UTC
I found two other issues. One isn't exploitable since it's caught by by dbus itself. The other is the ability to overwrite arbitrary files if 
PrintData or PrintStats is invoked and fs.protected_symlinks=0 (default 1 for our products)

Reproducer:

user:
johannes@linux-v0tl:~> ls -lah /passwd
-rw-r--r-- 1 root root 2.9K Oct 25 16:47 /passwd
johannes@linux-v0tl:~> head -n 1 /passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
johannes@linux-v0tl:~> ln -s /passwd /tmp/keepalived.data

root:
# fs.protected_symlinks=0
# busctl call org.keepalived.Vrrp1 /org/keepalived/Vrrp1/Vrrp org.keepalived.Vrrp1.Vrrp  PrintData
# head -n1 /passwd
------< Global definitions >------

/tmp/keepalived.data and /tmp/keepalived.stats is also created mode 666, so information can leak/be modified to/by unprivileged users. I'll create an upstream issue.
Comment 8 Johannes Segitz 2018-10-25 15:17:16 UTC
Tracked in 
https://github.com/acassen/keepalived/issues/1048

I would like to invest a little bit more time here (is also a good learning opportunity for dbus for me)
Comment 9 Johannes Segitz 2018-10-26 08:23:57 UTC
overall I'm not sure we want to enable this. There's not much defense in depth in there. E.g. set_valid_path in keepalived/vrrp/vrrp_dbus.c will happily overflow while creating a valid_path because it only checks that the input string still has characters, not if there's still space in the output buffer. Can't be exploited directly since handle_method_call checks the size, but it would be nice to have the check in the function that created the path, so it can't be forgotten if it's reused somewhere else. Lets see if I find more
Comment 10 Johannes Segitz 2018-11-06 16:43:55 UTC
(In reply to Johannes Segitz from comment #8)
The issue was fixed upstream and I'll request a CVE id for it

@Darix: So with that I would be willing to whitelist this if you still need the functionality. Is this the case?
Comment 11 Marcus Rückert 2018-11-07 13:50:24 UTC
Yes please
Comment 12 Johannes Segitz 2018-11-08 08:03:31 UTC
(In reply to Johannes Segitz from comment #7)
I asked MITRE for a CVE and they assigned three:
CVE-2018-19044 for https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306
CVE-2018-19045 for https://github.com/acassen/keepalived/commit/c6247a9ef2c7b33244ab1d3aa5d629ec49f0a067, https://github.com/acassen/keepalived/commit/5241e4d7b177d0b6f073cfc9ed5444bf51ec89d6
CVE-2018-19046 for the case, that a user already created /tmp/keepalived.data or /tmp/keepalived.stats with mode 666, so it's not covered by the umask fix and should still be fixed
Comment 13 Johannes Segitz 2018-11-08 08:29:54 UTC
Once the issues are fixed I'll add the whitelist entry for the dbus service
Comment 14 Johannes Segitz 2018-11-08 10:22:45 UTC
making public so it can be used as CVE reference
Comment 15 Swamp Workflow Management 2018-11-08 15:50:05 UTC
This is an autogenerated message for OBS integration:
This bug (1015141) was mentioned in
https://build.opensuse.org/request/show/647347 Factory / rpmlint
Comment 16 Johannes Segitz 2018-11-09 07:36:46 UTC
(In reply to Johannes Segitz from comment #6)
This was assigned CVE-2018-19115.
Comment 17 Johannes Segitz 2018-11-12 16:25:48 UTC
(In reply to Johannes Segitz from comment #12)
CVE-2018-19046 is fixed by ac8e2ef, 26c8d63 and 17f9441
Comment 18 Marcus Meissner 2018-11-12 19:03:01 UTC
what files can you modified that are mode 666>? 

what can be doen with the content?
Comment 19 Johannes Segitz 2018-11-13 07:45:24 UTC
(In reply to Marcus Meissner from comment #18)
/tmp/keepalived.data or /tmp/keepalived.stats could have been created with e.g. mode 666, so the umask fix doesn't work. This allows for exposure of the information in there or it can be changed by an attacker
Comment 20 Andreas Stieger 2018-12-14 10:38:32 UTC
Christian, your submitted maintenance update to 2.0.10 from 1.4.1/1.2.15 seems to be quite a big one. I would expect that such as update may cause existing installations to fail during a simple update, e.g. when configuration directives change or new mandatory options are introduced. Have you check the compatibility here?
Comment 21 Swamp Workflow Management 2018-12-21 11:09:03 UTC
openSUSE-SU-2018:4212-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015141,1069468,949238
CVE References: CVE-2018-19044,CVE-2018-19045,CVE-2018-19046
Sources used:
openSUSE Leap 42.3 (src):    keepalived-2.0.10-7.3.1
openSUSE Leap 15.0 (src):    keepalived-2.0.10-lp150.3.4.1
openSUSE Backports SLE-15 (src):    keepalived-2.0.10-bp150.3.4.1
Comment 22 Swamp Workflow Management 2018-12-21 11:09:54 UTC
openSUSE-SU-2018:4213-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015141,1069468,949238
CVE References: CVE-2018-19044,CVE-2018-19045,CVE-2018-19046
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    keepalived-2.0.10-6.1
Comment 24 Swamp Workflow Management 2019-01-15 20:11:38 UTC
SUSE-RU-2019:0097-1: An update that has 14 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1015141,1076467,1089114,1089340,1095769,1097339,1102836,1104110,1108037,1109938,1111254,1116686,1116758,1119975
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    rpmlint-1.10-7.3.1, rpmlint-mini-1.10-5.2.1
Comment 25 Swamp Workflow Management 2019-01-17 23:35:27 UTC
openSUSE-RU-2019:0059-1: An update that has 14 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1015141,1076467,1089114,1089340,1095769,1097339,1102836,1104110,1108037,1109938,1111254,1116686,1116758,1119975
CVE References: 
Sources used:
openSUSE Leap 15.0 (src):    rpmlint-1.10-lp150.6.3.1, rpmlint-mini-1.10-lp150.4.3.1
Comment 27 Dirk Mueller 2019-08-15 10:06:31 UTC
no, it looks like we forgot to patch cloud7+
Comment 31 Swamp Workflow Management 2020-03-24 23:15:51 UTC
SUSE-SU-2020:0779-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1015141,1069468,1158280,949238
CVE References: CVE-2018-19044,CVE-2018-19045,CVE-2018-19046
Sources used:
SUSE Linux Enterprise High Availability 15-SP1 (src):    keepalived-2.0.19-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Marcus Meissner 2021-08-12 14:12:04 UTC
done