Bugzilla – Bug 1183057
VUL-0: CVE-2021-42257: monitoring-plugins-smart: unprivileged user can modify SMART settings due to insufficient input validation in check_smart.pl
Last modified: 2021-10-14 19:31:33 UTC
+++ This bug was initially created as a clone of Bug #1180880 +++ The script `check_smart.pl` in monitoring-plugins-smart [0] is supposed to gather read-only information about hard drives by calling `smartctl` [1]. The latter requires root privileges, so the package grants passwordless access to the nagios user via `/etc/sudoers.d/monitoring-plugins-smart`. Example intended usage: /usr/lib/nagios/plugins/check_smart -i auto -d /dev/sda >OK: Drive ST2000LM007-1R8174 S/N WDZJESC2: no SMART errors detected. An oversight in the script's input validation of the device (-d) parameter allows the unprivileged `nagios` user to modify SMART settings, disable SMART monitoring entirely, shut down the drive or degrade the drive's performance by disabling its read cache. The -d parameter is validated as follows: ``` if (-b $opt_dl || -c $opt_dl || $opt_dl =~ m/\/dev\/bus\/\d/) { $device .= $opt_dl.":"; } else { warn "$opt_dl is not a valid block/character special device!\n\n" if $opt_debug; } ``` So an acceptable device name would be a block special device, a char special device or match the regex `/dev/bus/\d`. Critically, this regex matches even when /dev/bus/\d is just a _substring_ of any arbitrary directory, for example `/tmp/dev/bus/1/sda`. Later, this parameter is used to spawn a subprocess: ``` my $full_command = "$smart_command -d $interface -Hi $device" my @output = `$full_command`; ``` This can be exploited to pass arbitrary parameters to smartctl, some of which affect the drive's behavior negatively. Steps to reproduce: ------------------- # simulate nagios user su -l -s /bin/bash nagios mkdir -p /tmp/dev/bus/1/ ln -s /dev/sda /tmp/dev/bus/1/ ls -l /tmp/dev/bus/1/sda >lrwxrwxrwx 1 nagios nagios 8 Mar 4 21:27 /tmp/dev/bus/1/sda -> /dev/sda /usr/lib/nagios/plugins/check_smart --debug -i auto -d "/tmp/dev/bus/1/sda -s off" >(debug) executing: >sudo smartctl -d auto -Hi /tmp/dev/bus/1/sda -s off >SMART Disabled. Remediation: ------------ - Improve the validation regex, e.g. ^/dev/bus/\d$ - Prevent shell command injection, e.g. by passing a list to the system function. [0] https://github.com/Napsty/check_smart/ [1] https://www.smartmontools.org/
Upstream fix: https://github.com/Napsty/check_smart/pull/68/commits/ae31b1a4c244323bdd20b04a7545830d96f36e9d
Upgraded package submitted in server:monitoring. SR to openSUSE:Factory -> 892019 openSUSE:Backports:SLE-15-SP1:Update -> 892015 openSUSE:Backports:SLE-15-SP2:Update -> 892016 openSUSE:Backports:SLE-15-SP3 -> 892017 openSUSE:Leap:15.2:Update -> 892018 All upgraded to the version in server:monitoring. Suggestion for the Patchinfo: This upgrade to version 6.9.1 mainly fixes a security issue, which allows an attacker to modify SMART settings due to insufficient input validation in check_smart (bsc#1183057). In addition, the following new features are integrated: + Allows using PCI device paths as device name(s) (#64) + Introduce new optional parameter -l/--ssd-lifetime) which additionally checks SMART attribute "Percent_Lifetime_Remain" (available on some SSD drives). (#66 #67) + Allow skip self-assessment check (--skip-self-assessment) + Add Command_Timeout to default raw list + Added support for NVMe drives + The feature was requested in #30 . This PR adds the possibility to use 3ware,N and cciss,N drives in combination with the global -g parameter. + Furthermore this PR adjusts the output of the plugin when the -g is used in combination with hardware raid controllers. Instead of showing the logical device name (/dev/sda for example), the plugin will now show the controller with drive number + Add Reported_Uncorrect and Reallocated_Event_Count to default raw list.
This is an autogenerated message for OBS integration: This bug (1183057) was mentioned in https://build.opensuse.org/request/show/892023 Factory / monitoring-plugins-smart https://build.opensuse.org/request/show/892024 Backports:SLE-15-SP1 / monitoring-plugins-smart https://build.opensuse.org/request/show/892025 Backports:SLE-15-SP2 / monitoring-plugins-smart https://build.opensuse.org/request/show/892026 Backports:SLE-15-SP3 / monitoring-plugins-smart https://build.opensuse.org/request/show/892027 15.2 / monitoring-plugins-smart
openSUSE-SU-2021:0706-1: An update that contains security fixes can now be installed. Category: security (important) Bug References: 1183057 CVE References: JIRA References: Sources used: openSUSE Leap 15.2 (src): monitoring-plugins-smart-6.9.1-lp152.4.3.1 openSUSE Backports SLE-15-SP2 (src): monitoring-plugins-smart-6.9.1-bp152.4.3.1 openSUSE Backports SLE-15-SP1 (src): monitoring-plugins-smart-6.9.1-bp151.4.3.1
CVE-2021-42257 was assigned to this issue.