Bugzilla – Bug 1150733
VUL-0: CVE-2019-3689: nfs-utils: root-owned files stored in insecure /var/lib/nfs
Last modified: 2020-03-27 05:32:11 UTC
/var/lib/nfs is owned by statd:nogroup, I guess so that statd can create/move the subdirectories 'sm' and 'sm.bak'. However, the same directory also contains files owned and managed by root: 'etab', 'rmtab', 'v4recovery'. mountd running as root opens 'rmtab', while following symlinks. If statd is compromised, it can therefore trick mountd into creating/overwriting files anywhere on the system. Other distributions seem to have solved this by having the directory /var/lib/nfs/ owned by root, and a sub-directory /var/lib/nfs/statd that holds all the data owned by statd.
This is CVE-2019-3689
Please ping me once this is public so I can publish the CVE at the CVEproject
statd doesn't need write access to /var/lib/nfs, only to /var/lib/nfs/sm and /var/lib/nfs/sm.bak So we can change /var/lib/nfs to be root owned. The uid that statd (And sm-notify) run under is chosen from the owner of /var/lib/nfs. That needs to be changed, but is easily fixed to get the uid from /var/lib/nfs/sm I've updated Base:System/nfs-utils to reflect these changes. Is there any problem with making this public? Can I post my nfs-utils patch upstream?
This is an autogenerated message for OBS integration: This bug (1150733) was mentioned in https://build.opensuse.org/request/show/731364 Factory / nfs-utils
Sure, I'm making the bug public.
This is an autogenerated message for OBS integration: This bug (1150733) was mentioned in https://build.opensuse.org/request/show/732555 Factory / nfs-utils
SUSE-SU-2019:2771-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1150733 CVE References: CVE-2019-3689 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): nfs-utils-1.3.0-41.3.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): nfs-utils-1.3.0-41.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2776-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1150733 CVE References: CVE-2019-3689 Sources used: SUSE Linux Enterprise Module for Basesystem 15 (src): nfs-utils-2.1.1-6.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2782-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1150733 CVE References: CVE-2019-3689 Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): nfs-utils-2.1.1-10.4.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2781-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1150733 CVE References: CVE-2019-3689 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): nfs-utils-1.3.0-34.22.1 SUSE OpenStack Cloud 8 (src): nfs-utils-1.3.0-34.22.1 SUSE OpenStack Cloud 7 (src): nfs-utils-1.3.0-34.22.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): nfs-utils-1.3.0-34.22.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): nfs-utils-1.3.0-34.22.1 SUSE Linux Enterprise Server 12-SP5 (src): nfs-utils-1.3.0-34.22.1 SUSE Linux Enterprise Server 12-SP4 (src): nfs-utils-1.3.0-34.22.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): nfs-utils-1.3.0-34.22.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): nfs-utils-1.3.0-34.22.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): nfs-utils-1.3.0-34.22.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): nfs-utils-1.3.0-34.22.1 SUSE Linux Enterprise Desktop 12-SP5 (src): nfs-utils-1.3.0-34.22.1 SUSE Linux Enterprise Desktop 12-SP4 (src): nfs-utils-1.3.0-34.22.1 SUSE Enterprise Storage 5 (src): nfs-utils-1.3.0-34.22.1 SUSE Enterprise Storage 4 (src): nfs-utils-1.3.0-34.22.1 SUSE CaaS Platform 3.0 (src): nfs-utils-1.3.0-34.22.1 HPE Helion Openstack 8 (src): nfs-utils-1.3.0-34.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2408-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1150733 CVE References: CVE-2019-3689 Sources used: openSUSE Leap 15.0 (src): nfs-utils-2.1.1-lp150.4.10.1
openSUSE-SU-2019:2435-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1150733 CVE References: CVE-2019-3689 Sources used: openSUSE Leap 15.1 (src): nfs-utils-2.1.1-lp151.7.3.1
Fix is accepted, so closing.