Bug 1182777 - (CVE-2021-25316) VUL-0: CVE-2021-25316: s390-tools: Local DoS of VM live migration due to use of static tmp files in detach_disks.sh
(CVE-2021-25316)
VUL-0: CVE-2021-25316: s390-tools: Local DoS of VM live migration due to use ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
S/390-64 Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/278588/
CVSSv3.1:SUSE:CVE-2021-25316:6.1:(AV:...
:
Depends on:
Blocks: 1180877
  Show dependency treegraph
 
Reported: 2021-02-25 18:03 UTC by Wolfgang Frisch
Modified: 2021-04-19 16:33 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2021-02-25 18:03:40 UTC
+++ This bug was initially created as a clone of Bug #1180877 +++

In openSUSE:Factory/s390-tools/detach_disks.sh, predictable /tmp files are used.

```
COOKIE=$(mcookie)
DASDFILE=/tmp/dasd.list.${COOKIE}
DETFILE=/tmp/detach.disks.${COOKIE}
KEEPFILE=/tmp/keep.disks.${COOKIE}
NICFILE=/tmp/nic.list.${COOKIE}
FAILFILE=/tmp/error.${COOKIE}
```

The cookie is an unpredictable 32 character hash. However, since the script does not create all temp files at once, we can watch /tmp with inotify, get the cookie from the first created file, and predict the remaining paths.

Example run of detach_disks.sh, logged with `inotifywait -m -e create /tmp/`:
```
/tmp/ CREATE dasd.list.ce4955d2133c9c6e425791e39af56340
/tmp/ CREATE detach.disks.ce4955d2133c9c6e425791e39af56340
/tmp/ CREATE keep.disks.ce4955d2133c9c6e425791e39af56340
/tmp/ CREATE nic.list.ce4955d2133c9c6e425791e39af56340
```

Steps to reproduce:
As root:
- configure ZVM_DISKS_TO_DETACH in /etc/sysconfig/virtsetup
  e.g. ZVM_DISKS_TO_DETACH="1"
- mkdir /test
- touch /test/shadow

As an unprivileged user:
- Run the attached `PoC-detach_disks.py`

As root:
- /usr/lib/systemd/scripts/detach_disks.sh

Consequences:
- If fs.protected_symlinks = 1 (default on SLE),
  the unprivileged user can deny the service of detach_disks.sh.
- If fs.protected_symlinks = 0,
  the unprivileged user can overwrite arbitrary files.
Comment 1 Wolfgang Frisch 2021-02-25 18:04:19 UTC
Created attachment 846546 [details]
PoC-detach_disks.py
Comment 2 Wolfgang Frisch 2021-02-25 18:10:59 UTC
One solution would be to confine all the temp files in a securely created temporary directory, e.g. with tmpdir=$(mktemp -d /tmp/detach_disks.XXXXXX).
Comment 4 Mark Post 2021-02-26 20:37:23 UTC
I am considering making the following change. It should eliminate any possibility of "guessing" the filenames that are being created. Let me know what you think.
--- detach_disks.sh.20160524	2016-05-24 15:14:19.000000000 -0400
+++ detach_disks.sh	2021-02-26 10:36:50.946676687 -0500
@@ -1,11 +1,10 @@
 #!/bin/sh
 
-COOKIE=$(mcookie)
-DASDFILE=/tmp/dasd.list.${COOKIE}
-DETFILE=/tmp/detach.disks.${COOKIE}
-KEEPFILE=/tmp/keep.disks.${COOKIE}
-NICFILE=/tmp/nic.list.${COOKIE}
-FAILFILE=/tmp/error.${COOKIE}
+DASDFILE=/tmp/dasd.list.${mcookie}
+DETFILE=/tmp/detach.disks.${mcookie}
+KEEPFILE=/tmp/keep.disks.${mcookie}
+NICFILE=/tmp/nic.list.${mcookie}
+FAILFILE=/tmp/error.${mcookie}
 
 function expand_RANGE(){
 local RANGE=${1}
Comment 6 Wolfgang Frisch 2021-02-28 21:32:30 UTC
(In reply to Mark Post from comment #4)
> I am considering making the following change. It should eliminate any
> possibility of "guessing" the filenames that are being created. Let me know
> what you think.
> --- detach_disks.sh.20160524	2016-05-24 15:14:19.000000000 -0400
> +++ detach_disks.sh	2021-02-26 10:36:50.946676687 -0500
> @@ -1,11 +1,10 @@
>  #!/bin/sh
>  
> -COOKIE=$(mcookie)
> -DASDFILE=/tmp/dasd.list.${COOKIE}
> -DETFILE=/tmp/detach.disks.${COOKIE}
> -KEEPFILE=/tmp/keep.disks.${COOKIE}
> -NICFILE=/tmp/nic.list.${COOKIE}
> -FAILFILE=/tmp/error.${COOKIE}
> +DASDFILE=/tmp/dasd.list.${mcookie}
> +DETFILE=/tmp/detach.disks.${mcookie}
> +KEEPFILE=/tmp/keep.disks.${mcookie}
> +NICFILE=/tmp/nic.list.${mcookie}
> +FAILFILE=/tmp/error.${mcookie}
>  
>  function expand_RANGE(){
>  local RANGE=${1}

Thanks for the quick reaction.

This is OK in principal but there's a typo in the suggested changes: It should be $(mcookie) instead of ${mcookie}, which refers to a non-existent variable.

The standard `mktemp` utility would be an acceptable alternative, e.g.:
DASDFILE=$(/tmp/dasd.list.XXXXXX)
Comment 7 Wolfgang Frisch 2021-02-28 21:33:13 UTC
DASDFILE=$(mktemp /tmp/dasd.list.XXXXXX)
Comment 8 Mark Post 2021-02-28 23:22:39 UTC
(In reply to Wolfgang Frisch from comment #6)
-snip-
> This is OK in principal but there's a typo in the suggested changes: It
> should be $(mcookie) instead of ${mcookie}, which refers to a non-existent
> variable.

Argh. You're right, of course.
Comment 9 OBSbugzilla Bot 2021-03-01 00:10:06 UTC
This is an autogenerated message for OBS integration:
This bug (1182777) was mentioned in
https://build.opensuse.org/request/show/875842 Factory / s390-tools
Comment 11 Johannes Segitz 2021-03-01 09:24:10 UTC
Please use CVE-2021-25316 for this
Comment 13 OBSbugzilla Bot 2021-03-01 16:50:07 UTC
This is an autogenerated message for OBS integration:
This bug (1182777) was mentioned in
https://build.opensuse.org/request/show/876032 Factory / s390-tools
Comment 16 OBSbugzilla Bot 2021-03-08 23:20:07 UTC
This is an autogenerated message for OBS integration:
This bug (1182777) was mentioned in
https://build.opensuse.org/request/show/877835 Factory / s390-tools
Comment 18 Mark Post 2021-03-09 21:19:32 UTC
Could you remove 1180877 from the "Depends on" for this bug? I can't mark it resolved with that there, and I can't remove it, either. Thanks.
Comment 19 Johannes Segitz 2021-03-10 06:53:09 UTC
Done. Leaving the needinfo for Wolfgang.

@Wolfgang: If you clone the bug bugzilla creates (for us) nonsensical relationships. You need to adjust it so that the new bug blocks the parent bug so that the closed bugs can be closed before we close the tracker bug
Comment 20 Mark Post 2021-03-10 17:16:30 UTC
Updated packages have been submitted to openSUSE:Factory, SLE-12-SP5, and SLE-15-SP2.
Comment 21 Mark Post 2021-03-10 17:19:08 UTC
Updated package has been submitted to SLE-15-SP3 as well.
Comment 22 Alexandros Toptsoglou 2021-03-11 10:07:45 UTC
(In reply to Mark Post from comment #21)
> Updated package has been submitted to SLE-15-SP3 as well.

Please do not resolve security bugs, instead assign back to security team when you are done for a final review.
Comment 23 Swamp Workflow Management 2021-03-12 20:17:31 UTC
SUSE-SU-2021:0776-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1182777,1182876,1183041
CVE References: CVE-2021-25316
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    s390-tools-2.1.0-18.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2021-03-12 20:25:18 UTC
SUSE-SU-2021:0777-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1176574,1182777,1182876,1183040
CVE References: CVE-2021-25316
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    s390-tools-2.11.0-9.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Wolfgang Frisch 2021-04-19 16:33:51 UTC
Released!