Bugzilla – Bug 1015141
VUL-0: CVE-2018-19044,CVE-2018-19045,CVE-2018-19046, CVE-2018-19115: keepalived: dbus support in keepalived
Last modified: 2021-08-12 14:12:04 UTC
I would like to enable dbus support in keepalived. which atm is blocked by the rpmlintrc check. Code: https://github.com/acassen/keepalived/ Service file: https://github.com/acassen/keepalived/blob/master/keepalived/dbus/org.keepalived.Vrrp1.conf any objections?
Making the bug private to the discuss the issues found. 1, Heap overflow when parsing HTTP responses extract_status_code extracts the HTTP status codes from monitored servers. /* Allocate the room */ buf_code = (char *)MALLOC(10); /* Status-Code extraction */ while (buffer < end && *buffer++ != ' ') ; begin = buffer; while (buffer < end && *buffer++ != ' ') inc++; strncat(buf_code, begin, inc); So if the status code is longer then 9 bytes we run into a problem here. *** Error in `/usr/sbin/keepalived': free(): invalid pointer: 0x00000000006a76c0 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x7277f)[0x7fe12994577f] /lib64/libc.so.6(+0x78026)[0x7fe12994b026] /usr/sbin/keepalived[0x41ee13] /usr/sbin/keepalived[0x40726c] /usr/sbin/keepalived[0x40735c] /usr/sbin/keepalived[0x41dbbd] /usr/sbin/keepalived[0x40781b] /usr/sbin/keepalived[0x403fa1] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7fe1298f4b25] /usr/sbin/keepalived[0x40405a] ======= Memory map: ======== 00400000-0043c000 r-xp 00000000 08:03 24382537 /usr/sbin/keepalived 0063b000-0063c000 r--p 0003b000 08:03 24382537 /usr/sbin/keepalived 0063c000-0063e000 rw-p 0003c000 08:03 24382537 /usr/sbin/keepalived 0063e000-0063f000 rw-p 00000000 00:00 0 006a3000-006c4000 rw-p 00000000 00:00 0 [heap] 006c4000-006e6000 rw-p 00000000 00:00 0 [heap] 7fe128d84000-7fe128d9a000 r-xp 00000000 08:03 109576276 /lib64/libgcc_s.so.1 7fe128d9a000-7fe128f99000 ---p 00016000 08:03 109576276 /lib64/libgcc_s.so.1 7fe128f99000-7fe128f9a000 r--p 00015000 08:03 109576276 /lib64/libgcc_s.so.1 7fe128f9a000-7fe128f9b000 rw-p 00016000 08:03 109576276 /lib64/libgcc_s.so.1 7fe128f9b000-7fe12909b000 r-xp 00000000 08:03 109576372 /lib64/libm-2.19.so 7fe12909b000-7fe12929a000 ---p 00100000 08:03 109576372 /lib64/libm-2.19.so 7fe12929a000-7fe12929b000 r--p 000ff000 08:03 109576372 /lib64/libm-2.19.so 7fe12929b000-7fe12929c000 rw-p 00100000 08:03 109576372 /lib64/libm-2.19.so 7fe12929c000-7fe1292b4000 r-xp 00000000 08:03 109576328 /lib64/libpthread-2.19.so 7fe1292b4000-7fe1294b3000 ---p 00018000 08:03 109576328 /lib64/libpthread-2.19.so 7fe1294b3000-7fe1294b4000 r--p 00017000 08:03 109576328 /lib64/libpthread-2.19.so 7fe1294b4000-7fe1294b5000 rw-p 00018000 08:03 109576328 /lib64/libpthread-2.19.so 7fe1294b5000-7fe1294b9000 rw-p 00000000 00:00 0 7fe1294b9000-7fe1294ce000 r-xp 00000000 08:03 109576267 /lib64/libz.so.1.2.8 7fe1294ce000-7fe1296cd000 ---p 00015000 08:03 109576267 /lib64/libz.so.1.2.8 7fe1296cd000-7fe1296ce000 r--p 00014000 08:03 109576267 /lib64/libz.so.1.2.8 7fe1296ce000-7fe1296cf000 rw-p 00015000 08:03 109576267 /lib64/libz.so.1.2.8 7fe1296cf000-7fe1296d2000 r-xp 00000000 08:03 109576370 /lib64/libdl-2.19.so 7fe1296d2000-7fe1298d1000 ---p 00003000 08:03 109576370 /lib64/libdl-2.19.so 7fe1298d1000-7fe1298d2000 r--p 00002000 08:03 109576370 /lib64/libdl-2.19.so 7fe1298d2000-7fe1298d3000 rw-p 00003000 08:03 109576370 /lib64/libdl-2.19.so 7fe1298d3000-7fe129a71000 r-xp 00000000 08:03 109576339 /lib64/libc-2.19.so 7fe129a71000-7fe129c71000 ---p 0019e000 08:03 109576339 /lib64/libc-2.19.so 7fe129c71000-7fe129c75000 r--p 0019e000 08:03 109576339 /lib64/libc-2.19.so 7fe129c75000-7fe129c77000 rw-p 001a2000 08:03 109576339 /lib64/libc-2.19.so 7fe129c77000-7fe129c7b000 rw-p 00000000 00:00 0 7fe129c7b000-7fe129c97000 r-xp 00000000 08:03 24390723 /usr/lib64/libnl-3.so.200.18.0 7fe129c97000-7fe129e96000 ---p 0001c000 08:03 24390723 /usr/lib64/libnl-3.so.200.18.0 7fe129e96000-7fe129e98000 r--p 0001b000 08:03 24390723 /usr/lib64/libnl-3.so.200.18.0 7fe129e98000-7fe129e99000 rw-p 0001d000 08:03 24390723 /usr/lib64/libnl-3.so.200.18.0 7fe129e99000-7fe129e9e000 r-xp 00000000 08:03 24390725 /usr/lib64/libnl-genl-3.so.200.18.0 7fe129e9e000-7fe12a09e000 ---p 00005000 08:03 24390725 /usr/lib64/libnl-genl-3.so.200.18.0 7fe12a09e000-7fe12a09f000 r--p 00005000 08:03 24390725 /usr/lib64/libnl-genl-3.so.200.18.0 7fe12a09f000-7fe12a0a0000 rw-p 00006000 08:03 24390725 /usr/lib64/libnl-genl-3.so.200.18.0 7fe12a0a0000-7fe12a0ac000 r-xp 00000000 08:03 109576287 /lib64/libcrypt-2.19.so 7fe12a0ac000-7fe12a2ab000 ---p 0000c000 08:03 109576287 /lib64/libcrypt-2.19.so 7fe12a2ab000-7fe12a2ac000 r--p 0000b000 08:03 109576287 /lib64/libcrypt-2.19.so 7fe12a2ac000-7fe12a2ad000 rw-p 0000c000 08:03 109576287 /lib64/libcrypt-2.19.so 7fe12a2ad000-7fe12a2db000 rw-p 00000000 00:00 0 7fe12a2db000-7fe12a4a4000 r-xp 00000000 08:03 109576242 /lib64/libcrypto.so.1.0.0 7fe12a4a4000-7fe12a6a4000 ---p 001c9000 08:03 109576242 /lib64/libcrypto.so.1.0.0 7fe12a6a4000-7fe12a6be000 r--p 001c9000 08:03 109576242 /lib64/libcrypto.so.1.0.0 7fe12a6be000-7fe12a6cb000 rw-p 001e3000 08:03 109576242 /lib64/libcrypto.so.1.0.0 7fe12a6cb000-7fe12a6cf000 rw-p 00000000 00:00 0 7fe12a6cf000-7fe12a72d000 r-xp 00000000 08:03 109576332 /lib64/libssl.so.1.0.0 7fe12a72d000-7fe12a92c000 ---p 0005e000 08:03 109576332 /lib64/libssl.so.1.0.0 7fe12a92c000-7fe12a930000 r--p 0005d000 08:03 109576332 /lib64/libssl.so.1.0.0 7fe12a930000-7fe12a937000 rw-p 00061000 08:03 109576332 /lib64/libssl.so.1.0.0 7fe12a937000-7fe12a958000 r-xp 00000000 08:03 109576273 /lib64/ld-2.19.so 7fe12aae4000-7fe12ab19000 r--s 00000000 00:15 18783 /run/nscd/passwd 7fe12ab19000-7fe12ab1f000 rw-p 00000000 00:00 0 7fe12ab20000-7fe12ab21000 rw-p 00000000 00:00 0 7fe12ab21000-7fe12ab56000 r--s 00000000 00:15 18785 /run/nscd/dbQgXrem (deleted) 7fe12ab56000-7fe12ab57000 rw-p 00000000 00:00 0 7fe12ab57000-7fe12ab58000 r--p 00020000 08:03 109576273 /lib64/ld-2.19.so 7fe12ab58000-7fe12ab59000 rw-p 00021000 08:03 109576273 /lib64/ld-2.19.so 7fe12ab59000-7fe12ab5a000 rw-p 00000000 00:00 0 7ffd81e57000-7ffd81e78000 rw-p 00000000 00:00 0 [stack] 7ffd81e7b000-7ffd81e7d000 r--p 00000000 00:00 0 [vvar] 7ffd81e7d000-7ffd81e7f000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Created attachment 719340 [details] Crasher for issue 1 run the ruby script and configure keepalived with: virtual_server 127.0.0.1 8080 { delay_loop 6 lb_algo rr lb_kind NAT persistence_timeout 50 protocol TCP real_server 127.0.0.1 8080 { weight 1 HTTP_GET { url { path / digest ff20ad2481f97b1754ef3e12ecd3a9cc } url { path /mrtg/ digest 9b3a0c85a887a256d6939da88aabd8cd } connect_timeout 3 nb_get_retry 3 delay_before_retry 3 } } }
The bug found in comment 2 is not very promising. Has this been fixed upstream, or reported to upstream at all? Johannes, could you take care of this? Would be a shame to keep your finding a secret ;-) Otherwise I think we can close the bug until we have a more robust version available that can be re-audited.
(In reply to Matthias Gerstner from comment #4) shame on me. I sent this to upstream but didn't get a reaction. I'll try again with github issues and then we can close this
(In reply to Johannes Segitz from comment #2) The issue is fixed upstream in f28015671a4b04785859d1b4b1327b367b6a10e9
I found two other issues. One isn't exploitable since it's caught by by dbus itself. The other is the ability to overwrite arbitrary files if PrintData or PrintStats is invoked and fs.protected_symlinks=0 (default 1 for our products) Reproducer: user: johannes@linux-v0tl:~> ls -lah /passwd -rw-r--r-- 1 root root 2.9K Oct 25 16:47 /passwd johannes@linux-v0tl:~> head -n 1 /passwd at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash johannes@linux-v0tl:~> ln -s /passwd /tmp/keepalived.data root: # fs.protected_symlinks=0 # busctl call org.keepalived.Vrrp1 /org/keepalived/Vrrp1/Vrrp org.keepalived.Vrrp1.Vrrp PrintData # head -n1 /passwd ------< Global definitions >------ /tmp/keepalived.data and /tmp/keepalived.stats is also created mode 666, so information can leak/be modified to/by unprivileged users. I'll create an upstream issue.
Tracked in https://github.com/acassen/keepalived/issues/1048 I would like to invest a little bit more time here (is also a good learning opportunity for dbus for me)
overall I'm not sure we want to enable this. There's not much defense in depth in there. E.g. set_valid_path in keepalived/vrrp/vrrp_dbus.c will happily overflow while creating a valid_path because it only checks that the input string still has characters, not if there's still space in the output buffer. Can't be exploited directly since handle_method_call checks the size, but it would be nice to have the check in the function that created the path, so it can't be forgotten if it's reused somewhere else. Lets see if I find more
(In reply to Johannes Segitz from comment #8) The issue was fixed upstream and I'll request a CVE id for it @Darix: So with that I would be willing to whitelist this if you still need the functionality. Is this the case?
Yes please
(In reply to Johannes Segitz from comment #7) I asked MITRE for a CVE and they assigned three: CVE-2018-19044 for https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306 CVE-2018-19045 for https://github.com/acassen/keepalived/commit/c6247a9ef2c7b33244ab1d3aa5d629ec49f0a067, https://github.com/acassen/keepalived/commit/5241e4d7b177d0b6f073cfc9ed5444bf51ec89d6 CVE-2018-19046 for the case, that a user already created /tmp/keepalived.data or /tmp/keepalived.stats with mode 666, so it's not covered by the umask fix and should still be fixed
Once the issues are fixed I'll add the whitelist entry for the dbus service
making public so it can be used as CVE reference
This is an autogenerated message for OBS integration: This bug (1015141) was mentioned in https://build.opensuse.org/request/show/647347 Factory / rpmlint
(In reply to Johannes Segitz from comment #6) This was assigned CVE-2018-19115.
(In reply to Johannes Segitz from comment #12) CVE-2018-19046 is fixed by ac8e2ef, 26c8d63 and 17f9441
what files can you modified that are mode 666>? what can be doen with the content?
(In reply to Marcus Meissner from comment #18) /tmp/keepalived.data or /tmp/keepalived.stats could have been created with e.g. mode 666, so the umask fix doesn't work. This allows for exposure of the information in there or it can be changed by an attacker
Christian, your submitted maintenance update to 2.0.10 from 1.4.1/1.2.15 seems to be quite a big one. I would expect that such as update may cause existing installations to fail during a simple update, e.g. when configuration directives change or new mandatory options are introduced. Have you check the compatibility here?
openSUSE-SU-2018:4212-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1015141,1069468,949238 CVE References: CVE-2018-19044,CVE-2018-19045,CVE-2018-19046 Sources used: openSUSE Leap 42.3 (src): keepalived-2.0.10-7.3.1 openSUSE Leap 15.0 (src): keepalived-2.0.10-lp150.3.4.1 openSUSE Backports SLE-15 (src): keepalived-2.0.10-bp150.3.4.1
openSUSE-SU-2018:4213-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1015141,1069468,949238 CVE References: CVE-2018-19044,CVE-2018-19045,CVE-2018-19046 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): keepalived-2.0.10-6.1
SUSE-RU-2019:0097-1: An update that has 14 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1015141,1076467,1089114,1089340,1095769,1097339,1102836,1104110,1108037,1109938,1111254,1116686,1116758,1119975 CVE References: Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): rpmlint-1.10-7.3.1, rpmlint-mini-1.10-5.2.1
openSUSE-RU-2019:0059-1: An update that has 14 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1015141,1076467,1089114,1089340,1095769,1097339,1102836,1104110,1108037,1109938,1111254,1116686,1116758,1119975 CVE References: Sources used: openSUSE Leap 15.0 (src): rpmlint-1.10-lp150.6.3.1, rpmlint-mini-1.10-lp150.4.3.1
no, it looks like we forgot to patch cloud7+
SUSE-SU-2020:0779-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1015141,1069468,1158280,949238 CVE References: CVE-2018-19044,CVE-2018-19045,CVE-2018-19046 Sources used: SUSE Linux Enterprise High Availability 15-SP1 (src): keepalived-2.0.19-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
resolved https://build.suse.de/package/show/SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/keepalived https://build.suse.de/package/show/SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/keepalived will be released with the June MU https://build.suse.de/package/show/Devel:Cloud:7:Staging/keepalived Security please verify and close when appropriate.
done