Bug 1173258 - (CVE-2020-8903) VUL-0: CVE-2020-8903,CVE-2020-8907,CVE-2020-8933: privilege escalation in guest-oslogin
(CVE-2020-8903)
VUL-0: CVE-2020-8903,CVE-2020-8907,CVE-2020-8933: privilege escalation in gue...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Robert Schweikert
Security Team bot
https://smash.suse.de/issue/262144/
CVSSv3.1:SUSE:CVE-2020-8903:7.8:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-23 10:03 UTC by Wolfgang Frisch
Modified: 2020-08-11 16:14 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-06-23 10:03:11 UTC
CVE-2020-8903

A vulnerability in Google Cloud Platform's guest-oslogin versions between
20190304 and 20200507 allows a user that is only granted the role
"roles/compute.osLogin" to escalate privileges to root. Using the membership to
the "lxd" group, an attacker can attach host devices and filesystems. Within an
lxc container, it is possible to attach the host OS filesystem and modify
/etc/sudoers to then gain administrative privileges. All images created after
2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you
edit /etc/group/security.conf and remove the "lxd" user from the OS Login entry.

CVE-2020-8907

A vulnerability in Google Cloud Platform's guest-oslogin versions between
20190304 and 20200507 allows a user that is only granted the role
"roles/compute.osLogin" to escalate privileges to root. Using their membership
to the "docker" group, an attacker with this role is able to run docker and
mount the host OS. Within docker, it is possible to modify the host OS
filesystem and modify /etc/groups to gain administrative privileges. All images
created after 2020-May-07 (20200507) are fixed, and if you cannot update, we
recommend you edit /etc/group/security.conf and remove the "docker" user from
the OS Login entry.

CVE-2020-8933

A vulnerability in Google Cloud Platform's guest-oslogin versions between
20190304 and 20200507 allows a user that is only granted the role
"roles/compute.osLogin" to escalate privileges to root. Using the membership to
the "lxd" group, an attacker can attach host devices and filesystems. Within an
lxc container, it is possible to attach the host OS filesystem and modify
/etc/sudoers to then gain administrative privileges. All images created after
2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you
edit /etc/group/security.conf and remove the "lxd" user from the OS Login entry.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8903
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8907
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8933
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8903
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8933
https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29
https://gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020
https://cloud.google.com/support/bulletins/#gcp-2020-008
Comment 1 Wolfgang Frisch 2020-06-23 10:06:20 UTC
SUSE:SLE-11-SP3:Update   google-compute-engine   Not affected [1]
SUSE:SLE-12:Update       google-compute-engine   Affected
SUSE:SLE-15:Update       google-compute-engine   Affected

[1] The problematic code in `google_oslogin_control` is absent. Upstream explicitly excluded versions older than 20190304 in the advisory.
Comment 2 Wolfgang Frisch 2020-06-23 10:07:42 UTC
@cloud-bugs
Please verify if or how the guest-oslogin package is used in our Google Cloud images. All images that use guest-oslogin must be rebuilt after this is fixed.
Comment 4 Swamp Workflow Management 2020-07-15 16:20:28 UTC
SUSE-SU-2020:1934-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1169978,1173258
CVE References: CVE-2020-8903,CVE-2020-8907,CVE-2020-8933
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    google-compute-engine-20190801-4.38.1
SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src):    google-compute-engine-20190801-4.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2020-07-18 22:14:43 UTC
openSUSE-SU-2020:0996-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1169978,1173258
CVE References: CVE-2020-8903,CVE-2020-8907,CVE-2020-8933
Sources used:
openSUSE Leap 15.1 (src):    google-compute-engine-20190801-lp151.2.25.1
Comment 6 Swamp Workflow Management 2020-07-19 22:14:12 UTC
openSUSE-SU-2020:1014-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1169978,1173258
CVE References: CVE-2020-8903,CVE-2020-8907,CVE-2020-8933
Sources used:
openSUSE Leap 15.2 (src):    google-compute-engine-20190801-lp152.5.4.1
Comment 7 jun wang 2020-08-10 09:03:37 UTC
I am testing google-compute-engine SUSE:Maintenance:15968:223418 update, and I notice that there is a changelog:

-  + Do not add the created user to the adm, docker, or lxd groups
-    if they exist
+  + Do not add the created user to the adm (CVE-2020-8903),
+    docker (CVE-2020-8907), or lxd (CVE-2020-8933) groups
+    if they exist (bsc#1173258)


but I can't find the fix in the update, is this intentional?
Comment 8 Robert Schweikert 2020-08-10 11:04:14 UTC
google-compute-engine-init and google-compute-engine-oslogin have been replaced by google-guest-agent and google-guest-oslogin. The google-guest-oslogin package has the fixes for this bug.
Comment 9 jun wang 2020-08-10 11:54:57 UTC
(In reply to Robert Schweikert from comment #8)
> google-compute-engine-init and google-compute-engine-oslogin have been
> replaced by google-guest-agent and google-guest-oslogin. The
> google-guest-oslogin package has the fixes for this bug.

OK, I see. Thank you for your reply
Comment 10 Swamp Workflow Management 2020-08-11 16:14:50 UTC
SUSE-SU-2020:2200-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1169978,1173258
CVE References: CVE-2020-8903,CVE-2020-8907,CVE-2020-8933
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 12 (src):    google-compute-engine-20190801-54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.