Bug 1150733 - (CVE-2019-3689) VUL-0: CVE-2019-3689: nfs-utils: root-owned files stored in insecure /var/lib/nfs
(CVE-2019-3689)
VUL-0: CVE-2019-3689: nfs-utils: root-owned files stored in insecure /var/lib...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Neil Brown
Security Team bot
https://smash.suse.de/issue/242441/
CVSSv2:NVD:CVE-2019-3689:10.0:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-13 15:25 UTC by Malte Kraus
Modified: 2020-03-27 05:32 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Malte Kraus 2019-09-13 15:25:10 UTC
/var/lib/nfs is owned by statd:nogroup, I guess so that statd can create/move the subdirectories 'sm' and 'sm.bak'. However, the same directory also contains files owned and managed by root: 'etab', 'rmtab', 'v4recovery'. mountd running as root opens 'rmtab', while following symlinks. If statd is compromised, it can therefore trick mountd into creating/overwriting files anywhere on the system.

Other distributions seem to have solved this by having the directory /var/lib/nfs/ owned by root, and a sub-directory /var/lib/nfs/statd that holds all the data owned by statd.
Comment 1 Johannes Segitz 2019-09-16 12:06:51 UTC
This is CVE-2019-3689
Comment 2 Johannes Segitz 2019-09-16 14:02:48 UTC
Please ping me once this is public so I can publish the CVE  at the CVEproject
Comment 3 Neil Brown 2019-09-17 01:30:41 UTC
statd doesn't need write access to /var/lib/nfs, only to
/var/lib/nfs/sm and /var/lib/nfs/sm.bak
So we can change /var/lib/nfs to be root owned.

The uid that statd (And sm-notify) run under is chosen from the owner of /var/lib/nfs.  That needs to be changed, but is easily fixed to get the uid
from /var/lib/nfs/sm

I've updated Base:System/nfs-utils to reflect these changes.

Is there any problem with making this public?  Can I post my nfs-utils patch upstream?
Comment 4 Swamp Workflow Management 2019-09-17 02:00:06 UTC
This is an autogenerated message for OBS integration:
This bug (1150733) was mentioned in
https://build.opensuse.org/request/show/731364 Factory / nfs-utils
Comment 5 Malte Kraus 2019-09-17 13:46:33 UTC
Sure, I'm making the bug public.
Comment 6 Swamp Workflow Management 2019-09-23 02:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1150733) was mentioned in
https://build.opensuse.org/request/show/732555 Factory / nfs-utils
Comment 12 Swamp Workflow Management 2019-10-24 16:18:12 UTC
SUSE-SU-2019:2771-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150733
CVE References: CVE-2019-3689
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    nfs-utils-1.3.0-41.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    nfs-utils-1.3.0-41.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-10-24 19:15:35 UTC
SUSE-SU-2019:2776-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150733
CVE References: CVE-2019-3689
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    nfs-utils-2.1.1-6.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-10-25 16:16:53 UTC
SUSE-SU-2019:2782-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150733
CVE References: CVE-2019-3689
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    nfs-utils-2.1.1-10.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-10-25 16:24:11 UTC
SUSE-SU-2019:2781-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150733
CVE References: CVE-2019-3689
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    nfs-utils-1.3.0-34.22.1
SUSE OpenStack Cloud 8 (src):    nfs-utils-1.3.0-34.22.1
SUSE OpenStack Cloud 7 (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server 12-SP5 (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server 12-SP4 (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Desktop 12-SP5 (src):    nfs-utils-1.3.0-34.22.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    nfs-utils-1.3.0-34.22.1
SUSE Enterprise Storage 5 (src):    nfs-utils-1.3.0-34.22.1
SUSE Enterprise Storage 4 (src):    nfs-utils-1.3.0-34.22.1
SUSE CaaS Platform 3.0 (src):    nfs-utils-1.3.0-34.22.1
HPE Helion Openstack 8 (src):    nfs-utils-1.3.0-34.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2019-10-29 20:15:24 UTC
openSUSE-SU-2019:2408-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150733
CVE References: CVE-2019-3689
Sources used:
openSUSE Leap 15.0 (src):    nfs-utils-2.1.1-lp150.4.10.1
Comment 17 Swamp Workflow Management 2019-11-05 20:16:50 UTC
openSUSE-SU-2019:2435-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150733
CVE References: CVE-2019-3689
Sources used:
openSUSE Leap 15.1 (src):    nfs-utils-2.1.1-lp151.7.3.1
Comment 21 Neil Brown 2020-03-27 05:32:11 UTC
Fix is accepted, so closing.