Bugzilla – Bug 1191890
VUL-1: CVE-2021-44038: quagga: Local privilege escalation from quagga to root
Last modified: 2023-10-31 12:18:44 UTC
Quagga has serveral local privilege escalations (LPE) from the runtime user to root. openSUSE is affected, but package is broken so it's currently only a minor threat. SLES not affected. Vector 1: service files run chown/chmod in user owned directory. introduced upstream with commit 9d035625fe5aa648d4bece430df24bcd2c04c2f2 e.g. isisd.service 13 ExecStartPre=-/bin/chmod -f 640 /etc/quagga/isisd.conf 14 ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/isisd.conf /etc/quagga belongs to $quagga_user, so usually quagga. By creating a symlink to another file (e.g. /etc/passwd) quagga can become the owner of this file. Since the openSUSE package currently is broken since the $QUAGGA_USER:$QUAGGA_GROUP is not set only the chmod works. Vector 2: Introduced upstream with commit a5efdb60905049e1224a020b78dd9699bdd15b29, although one chown was already there before. Doens't affect us at all since we don't have it. Here for completeness and to make the maintainer aware. The suggested spec file has (redhat/quagga.spec.in): 386 %if 0%{?quagga_user:1} 387 chown %quagga_user:%quagga_user %{_sysconfdir}/zebra.conf* 388 %endif 389 chmod 640 %{_sysconfdir}/zebra.conf 390 fi 391 for daemon in %{all_daemons} ; do 392 if [ ! -e %{_sysconfdir}/${daemon}.conf ]; then 393 touch %{_sysconfdir}/${daemon}.conf 394 %if 0%{?quagga_user:1} 395 chown %quagga_user:%quagga_user %{_sysconfdir}/${daemon}.conf* 396 %endif 397 fi 398 done so it's vulnerable to the same issues I'm currently trying to get in touch with upstream, but the project seems dead. I'll request a CVE for this once I clarified that with them
This is an embargoed bug. This means that this information is not public. Please do NOT: - talk to other people about this unless they're involved in fixing the issue - make this bug public - submit this into OBS (e.g. fix Leap/Tumbleweed) until this bug becomes public (e.g. no EMBARGOED tag on the header) Your primary responsibility is to develop a fix for this issue. Here is some guidance on openSUSE package maintenance: - https://en.opensuse.org/openSUSE:Package_maintenance - https://en.opensuse.org/openSUSE:Maintenance_update_process You need to submit AFTER the bug became public, to the current openSUSE Leap codestreams, and to the devel project of your package. The security team will then take the following steps: - We wait for your submission and package them into an incident for QA testing. The QA tester might reach out to you if they find issues with the update. - If QA doesn't find any issues, we publish the updates. You can contact us at: * IRC: irc.suse.de #security * Do NOT use Slack or any non-SUSE hosted messaging services * Email: security-team@suse.de Internal CRD: 2022-01-19 or earlier
(In reply to Johannes Segitz from comment #0) > Quagga has serveral local privilege escalations (LPE) from the runtime user > to > root. openSUSE is affected, but package is broken so it's currently only a > minor threat. SLES not affected. Yes, it is AFAIS a factory/tumbleweed only issue, openSUSE:Leap:15.x:Update is still using the quagga 1.1 as on SLE. [...] > I'm currently trying to get in touch with upstream, but the project seems > dead. I'll request a CVE for this once I clarified that with them Yes, IMO quagga is more or less dead since the frr fork/follow-up happened (quagga 1.1 -> frr 2.0) and where most of the developers moved. The master git repo (http://git.savannah.gnu.org/cgit/quagga.git) and also the content behind https://www.quagga.net/ "vanished", https://github.com/Quagga/quagga shows that last commit were on 4 Feb 2018. We've added frr pkg to SLE-15-SP3 (https://jira.suse.com/browse/SLE-15017) instead to update quagga (quagga 1.2 were also marked experimental...) Once we've addressed vector 1 in factory, maybe a drop request for factory would be an option?
yes, that sounds like a plan. I'll request CVEs and post them here
I make it public to use it as CVE reference
Please use CVE-2021-44038 to track this and submit the fix for openSUSE. Thank you
*** Bug 1202935 has been marked as a duplicate of this bug. ***
In https://build.opensuse.org/request/show/1035188 -> network now: ------------------------------------------------------------------- Fri Nov 11 09:07:22 UTC 2022 - Marius Tomaschewski <mt@suse.com> - Remove attempts to correct configuration file ownership and permissions in service files, that may lead to local privilege escalation from quagga to root (bsc#1191890,CVE-2021-44038). [+ remove-chown-chmod.service.patch] - Correct hardening patches adding ReadWritePaths=/etc/quagga - Add update-messages that quagga is not developed for years, is about to get dropped from Factory/Tumbleweed soon and users should migrate to FRR (https://frrouting.org/). -------------------------------------------------------------------
Above submission request 1035188 has been accepted. I've opened an openSUSE:Factory / quagga drop request: - https://build.opensuse.org/request/show/1036299 Back to security team.
and we can close it, thanks