Bug 1194002 - (CVE-2022-23950) VUL-0: CVE-2022-23950: keylime: Revocation Notifier Uses fixed /tmp Path for UNIX Domain Socket
VUL-0: CVE-2022-23950: keylime: Revocation Notifier Uses fixed /tmp Path for ...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
Blocks: 1191739
  Show dependency treegraph
Reported: 2021-12-22 11:11 UTC by Matthias Gerstner
Modified: 2022-02-18 09:53 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2021-12-22 11:11:19 UTC
This bug is to keep track of keylime review report item 4.a:

 ### a) Revocation Notifier Uses fixed /tmp Path for UNIX Domain Socket
 In *revocation_notifier.py* a fixed path in the world writable location
 */tmp/keylime.verifier.ipc* is used. The code (in this case the third party
 `zeromq` Python module) forcefully removes any file object found there
 Should the program be running as non-root, or if another local user simply
 places a *directory* at this location, then this serves as a local DoS attack
 against the revocation notifier process, because the socket cannot be created.
 This situation doesn't even seem to be noticed by the verifier main process,
 because the child process `broker_proc` is never waited on. This means that
 the local attacker could even replace the "blocking" directory by his own UNIX
 domain socket later on and will then receive revocation events from
 invocations of the `notify()` function in the main verifier process.
 The full impact of this would have to be researched further. It looks like
 failed quote notifications would longer be sent out.
 I recommend to place UNIX domains sockets in a dedicated safe directory in
 /run that cannot be staged with attacks by other local users in the system.
Comment 1 Matthias Gerstner 2022-01-26 09:31:55 UTC
The issue has been confirmed by upstream and has been assigned CVE-2022-23950.
Comment 3 Matthias Gerstner 2022-01-28 09:34:25 UTC
the issue is public now via the following security advisory:

Comment 4 Gianluca Gabrielli 2022-02-18 09:53:01 UTC
Fixed in version 6.3.0 and both SLE-15-SP4 and Factory are updated.