Bugzilla – Bug 906545
VUL-0: CVE-2014-8989: kernel-source: Linux user namespaces can bypass group-based restrictions
Last modified: 2018-05-11 14:53:22 UTC
Date: Mon, 17 Nov 2014 10:43:39 -0800 From: Andy Lutomirski <luto@amacapital.net> This is a heads-up, as there is no fix right now. On Linux, if you can unshare your user namespace (which is the case on many distributions), then you can map your fsuid and fsgid into the new namespace and, inside that namespace, drop all of your other groups. This may allow you to access files protected by POSIX ACLs as "other", even if the ACL should have prohibited it based on one of your supplementary group IDs. This does not appear to allow you to violate negative sudoers group entries and the like, since sudo(8) would be confined to the user namespace as well and will therefore not gain privilege. To those who care about credit: this was discovered by some combination of me, Theodore Ts'o, Eric Biederman, Alan Cox, and Casey Schaufler. See here for some more discussion: http://thread.gmane.org/gmane.linux.man/7385/ Disabling CONFIG_USER_NS works around this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8989 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8989.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8989 http://thread.gmane.org/gmane.linux.man/7385/
I do not think any of SLES has USER_NS enabled. Even more true for TD branches
(In reply to Michal Hocko from comment #1) > I do not think any of SLES has USER_NS enabled. Even more true for TD > branches Unfortunately, I don't think you are right: $ for aa in origin/SLE11-SP4 origin/SLE11-SP1-LTSS origin/SLE11-SP1-TD origin/SLE11-SP2-LTSS origin/SLES10-SP1-TD origin/SLES10-SP3-TD origin/SLES10-SP4-LTSS origin/SLES10_SP2_LTSS origin/SLES10_SP3_LTSS origin/SLES9-SP3-TD origin/SLES9-SP4-LTSS SLE11-SP3 SLE12 master openSUSE-12.3 openSUSE-13.1 openSUSE-13.2 stable; do git grep USER_NS $aa -- config/x86_64/default; done origin/SLE11-SP4:config/x86_64/default:CONFIG_USER_NS=y origin/SLE11-SP1-LTSS:config/x86_64/default:CONFIG_USER_NS=y origin/SLE11-SP1-TD:config/x86_64/default:CONFIG_USER_NS=y origin/SLE11-SP2-LTSS:config/x86_64/default:CONFIG_USER_NS=y SLE11-SP3:config/x86_64/default:CONFIG_USER_NS=y SLE12:config/x86_64/default:CONFIG_USER_NS=y master:config/x86_64/default:CONFIG_USER_NS=y openSUSE-13.2:config/x86_64/default:CONFIG_USER_NS=y stable:config/x86_64/default:CONFIG_USER_NS=y
I have just investigated and found no (accepted) patch yet...
The fixes are landing in stable. But it is a little fuzzy to me which exactly are needed: Subject: mnt: Implicitly add MNT_NODEV on remount when it was implicitly added by mount commit 3e1866410f11356a9fd869beb3e95983dc79c067 upstream. Subject: mnt: Update unprivileged remount test commit 4a44a19b470a886997d6647a77bb3e38dcbfa8c5 upstream. Subject: umount: Disallow unprivileged mount force commit b2f5d4dc38e034eecb7987e513255265ff9aa1cf upstream. Subject: groups: Consolidate the setgroups permission checks commit 7ff4d90b4c24a03666f296c3d4878cd39001e81e upstream. Subject: userns: Document what the invariant required for safe unprivileged mappings. commit 0542f17bf2c1f2430d368f44c8fcf2f82ec9e53e upstream. Subject: userns: Don't allow setgroups until a gid mapping has been setablished commit 273d2c67c3e179adb1e74f403d1e9a06e3f841b5 upstream. Subject: userns: Don't allow unprivileged creation of gid mappings commit be7c6dba2332cef0677fbabb606e279ae76652c3 upstream. Subject: userns: Check euid no fsuid when establishing an unprivileged uid mapping commit 80dd00a23784b384ccea049bfb3f259d3f973b9d upstream. Subject: userns: Only allow the creator of the userns unprivileged mappings commit f95d7918bd1e724675de4940039f2865e5eec5fe upstream. Subject: userns: Rename id_map_mutex to userns_state_mutex commit f0d62aec931e4ae3333c797d346dc4f188f454ba upstream. Subject: userns: Add a knob to disable setgroups on a per user namespace basis commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8 upstream. Subject: userns: Allow setting gid_maps without privilege when setgroups is disabled commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272 upstream. Subject: userns: Unbreak the unprivileged remount tests commit db86da7cb76f797a1a8b445166a15cb922c6ff85 upstream.
The patches are in SLE12 since: commit c368df30ccf5d2d7a5f40a490299ba1f693e503d Author: Jiri Slaby <jslaby@suse.cz> Date: Thu Jan 8 17:43:50 2015 +0100 - Linux 3.12.36 (CVE-2014-8133 CVE-2014-9420 fate#315482 FATE#316917 LTC#114562 bnc#862374 bnc#891086 bnc#908163 bnc#908198 bnc#911325 bsc#909077).
In stable (factory) since: commit 0fdb00f30db67e38a480e665b3ec88276e936a85 Author: Jiri Slaby <jslaby@suse.cz> Date: Wed Dec 17 10:59:36 2014 +0100 - Linux 3.18.1.
(In reply to Jiri Slaby from comment #10) > In stable (factory) since: > > commit 0fdb00f30db67e38a480e665b3ec88276e936a85 Nope, this one: commit a393f37ca022e49a806afae34741434873db8170 Author: Jiri Slaby <jslaby@suse.cz> Date: Fri Jan 9 11:08:54 2015 +0100 - Linux 3.18.2 (CVE-2014-8133 bnc#908163 bsc#909077).
SUSE-SU-2015:0178-1: An update that solves 5 vulnerabilities and has 59 fixes is now available. Category: security (important) Bug References: 800255,809493,829110,856659,862374,873252,875220,884407,887108,887597,889192,891086,891277,893428,895387,895814,902232,902346,902349,903279,903640,904053,904177,904659,904969,905087,905100,906027,906140,906545,907069,907325,907536,907593,907714,907818,907969,907970,907971,907973,908057,908163,908198,908803,908825,908904,909077,909092,909095,909829,910249,910697,911181,911325,912129,912278,912281,912290,912514,912705,912946,913233,913387,913466 CVE References: CVE-2014-3687,CVE-2014-3690,CVE-2014-8559,CVE-2014-9420,CVE-2014-9585 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): kernel-docs-3.12.36-38.3, kernel-obs-build-3.12.36-38.2 SUSE Linux Enterprise Server 12 (src): kernel-source-3.12.36-38.1, kernel-syms-3.12.36-38.1 SUSE Linux Enterprise Desktop 12 (src): kernel-source-3.12.36-38.1, kernel-syms-3.12.36-38.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-04-01. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61308
openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available. Category: security (important) Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075 CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728 Sources used: openSUSE 13.1 (src): cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1
openSUSE-SU-2016:0318-1: An update that solves 19 vulnerabilities and has 18 fixes is now available. Category: security (important) Bug References: 814440,906545,912202,921949,937969,937970,938706,944296,945825,949936,950998,951627,951638,952384,952579,952976,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075 CVE References: CVE-2014-8989,CVE-2014-9529,CVE-2015-5157,CVE-2015-5307,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728 Sources used: openSUSE 13.2 (src): bbswitch-0.8-3.15.1, cloop-2.639-14.15.1, crash-7.0.8-15.1, hdjmod-1.28-18.16.1, ipset-6.23-15.1, kernel-debug-3.16.7-32.1, kernel-default-3.16.7-32.1, kernel-desktop-3.16.7-32.1, kernel-docs-3.16.7-32.2, kernel-ec2-3.16.7-32.1, kernel-obs-build-3.16.7-32.2, kernel-obs-qa-3.16.7-32.1, kernel-obs-qa-xen-3.16.7-32.1, kernel-pae-3.16.7-32.1, kernel-source-3.16.7-32.1, kernel-syms-3.16.7-32.1, kernel-vanilla-3.16.7-32.1, kernel-xen-3.16.7-32.1, pcfclock-0.44-260.15.1, vhba-kmp-20140629-2.15.1, virtualbox-4.3.34-37.1, xen-4.4.3_08-38.1, xtables-addons-2.6-15.1
needinfos open for 1 year... hello?
not fixed in sles yet
Not that it matters, but it was apparently fixed in 13.2. Goldwyn, can you follow up on this?
SLE11-SP4 is the only one which needs this fix.
(In reply to Goldwyn Rodrigues from comment #29) > SLE11-SP4 is the only one which needs this fix. ... but user namespaces did not mature until 3.8. Most of the functions and functionality is missing. So, we are good to close this without a fix in 11-SP4.
done