Bugzilla – Bug 1201949
VUL-0: CVE-2022-37030: gromox: potential local privilege escalation
Last modified: 2022-08-05 07:58:26 UTC
During an audit of Gromox for inclusion in openSUSE Tumbleweed, a potential local privilege escalation was found as described in bsc#1200165.
The following report describes a local privilege escalation vulnerability in
Gromox version 1.27 (latest). The vulnerability probably applies to previous
versions as well, since it has to do with the way the application is packaged.
Gromox is the central groupware server component of grommunio. It is capable
of serving as a replacement for Microsoft Exchange and compatibles.
Among its many features, Gromox provides a PAM module to authenticate non-Gromox
processes to an authentication backend such as MySQL or LDAP. The PAM module
allows runtime loading of plugins, and its configuration lives in
`/etc/gromox/pam` or `/etc/gromox`.
The interaction between this PAM module, its runtime loading of plugins and
their configuration causes the vulnerability described in this report.
# The Vulnerability
The RPM spec file packages the `/etc/gromox` directory with ownership
`root:gromox` and mode 775, i.e. the directory is writeable by the unprivileged
The directory contains, among others, the configuration file for the PAM module.
When the authentication hook of the PAM module is invoked, the module loads the
`/etc/gromox/pam.cfg` configuration file, which can contain a path and a list of
filenames to be used to load plugins. The plugins are regular .so shared objects,
which are then executed by the PAM module.
It is therefore possible for the `gromox` group to effectively have the PAM
stack run arbitrary code upon execution of the `pam_gromox.so` module.
Assuming that the PAM stack is run as root, as it is likely, this results in the
unprivileged `gromox` group being able to execute arbitrary code as root.
# Proof of Concept Exploit
Attached is a proof of concept setup that has been tested on current openSUSE
The only precondition for the exploit is that gromox is installed and a target
user is in the `gromox` group.
# Suggested Fix
In order to prevent privilege escalation, an unprivileged user cannot be allowed
to control paths and filenames that will be executed by other users (`root` in
the worst case).
Probably the best thing to do is to set the `/etc/gromox` folder ownership to
`root:root` and mode 755 rather than 775, and only allow privileged users
to modify the configuration.
The issue has been assigned CVE-2022-37030.
CVE has been made public and report has been posted to OSS.
Closing this as we are unaffected.