Bug 1150733 – VUL-0: CVE-2019-3689: nfs-utils: root-owned files stored in insecure /var/lib/nfs

Bug 1150733 - (CVE-2019-3689) VUL-0: CVE-2019-3689: nfs-utils: root-owned files stored in insecure /var/lib/nfs

(CVE-2019-3689)
Summary:	VUL-0: CVE-2019-3689: nfs-utils: root-owned files stored in insecure /var/lib...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Assigned To:	Neil Brown
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/242441/
Whiteboard:	CVSSv2:NVD:CVE-2019-3689:10.0:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-09-13 15:25 UTC by Malte Kraus
Modified:	2020-03-27 05:32 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Malte Kraus 2019-09-13 15:25:10 UTC

/var/lib/nfs is owned by statd:nogroup, I guess so that statd can create/move the subdirectories 'sm' and 'sm.bak'. However, the same directory also contains files owned and managed by root: 'etab', 'rmtab', 'v4recovery'. mountd running as root opens 'rmtab', while following symlinks. If statd is compromised, it can therefore trick mountd into creating/overwriting files anywhere on the system.

Other distributions seem to have solved this by having the directory /var/lib/nfs/ owned by root, and a sub-directory /var/lib/nfs/statd that holds all the data owned by statd.

Comment 1 Johannes Segitz 2019-09-16 12:06:51 UTC

This is CVE-2019-3689

Comment 2 Johannes Segitz 2019-09-16 14:02:48 UTC

Please ping me once this is public so I can publish the CVE  at the CVEproject

Comment 3 Neil Brown 2019-09-17 01:30:41 UTC

statd doesn't need write access to /var/lib/nfs, only to
/var/lib/nfs/sm and /var/lib/nfs/sm.bak
So we can change /var/lib/nfs to be root owned.

The uid that statd (And sm-notify) run under is chosen from the owner of /var/lib/nfs.  That needs to be changed, but is easily fixed to get the uid
from /var/lib/nfs/sm

I've updated Base:System/nfs-utils to reflect these changes.

Is there any problem with making this public?  Can I post my nfs-utils patch upstream?

Comment 4 Swamp Workflow Management 2019-09-17 02:00:06 UTC

This is an autogenerated message for OBS integration:
This bug (1150733) was mentioned in
https://build.opensuse.org/request/show/731364 Factory / nfs-utils

Comment 5 Malte Kraus 2019-09-17 13:46:33 UTC

Sure, I'm making the bug public.

Comment 6 Swamp Workflow Management 2019-09-23 02:50:06 UTC

This is an autogenerated message for OBS integration:
This bug (1150733) was mentioned in
https://build.opensuse.org/request/show/732555 Factory / nfs-utils

Comment 12 Swamp Workflow Management 2019-10-24 16:18:12 UTC

SUSE-SU-2019:2771-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150733
CVE References: CVE-2019-3689
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    nfs-utils-1.3.0-41.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    nfs-utils-1.3.0-41.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2019-10-24 19:15:35 UTC

SUSE-SU-2019:2776-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150733
CVE References: CVE-2019-3689
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    nfs-utils-2.1.1-6.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2019-10-25 16:16:53 UTC

SUSE-SU-2019:2782-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150733
CVE References: CVE-2019-3689
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    nfs-utils-2.1.1-10.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2019-10-25 16:24:11 UTC

SUSE-SU-2019:2781-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150733
CVE References: CVE-2019-3689
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    nfs-utils-1.3.0-34.22.1
SUSE OpenStack Cloud 8 (src):    nfs-utils-1.3.0-34.22.1
SUSE OpenStack Cloud 7 (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server 12-SP5 (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server 12-SP4 (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Desktop 12-SP5 (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    nfs-utils-1.3.0-34.22.1
SUSE Enterprise Storage 5 (src):    nfs-utils-1.3.0-34.22.1
SUSE Enterprise Storage 4 (src):    nfs-utils-1.3.0-34.22.1
SUSE CaaS Platform 3.0 (src):    nfs-utils-1.3.0-34.22.1
HPE Helion Openstack 8 (src):    nfs-utils-1.3.0-34.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2019-10-29 20:15:24 UTC

openSUSE-SU-2019:2408-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150733
CVE References: CVE-2019-3689
Sources used:
openSUSE Leap 15.0 (src):    nfs-utils-2.1.1-lp150.4.10.1

Comment 17 Swamp Workflow Management 2019-11-05 20:16:50 UTC

openSUSE-SU-2019:2435-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150733
CVE References: CVE-2019-3689
Sources used:
openSUSE Leap 15.1 (src):    nfs-utils-2.1.1-lp151.7.3.1

Comment 21 Neil Brown 2020-03-27 05:32:11 UTC

Fix is accepted, so closing.