Bug 1199280 - (CVE-2022-21950) VUL-0: CVE-2022-21950: canna: unsafe handling of /tmp/.iroha_unix
(CVE-2022-21950)
VUL-0: CVE-2022-21950: canna: unsafe handling of /tmp/.iroha_unix
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/330992/
CVSSv3.1:SUSE:CVE-2022-21950:7.7:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-05-06 12:49 UTC by Matthias Gerstner
Modified: 2022-08-21 14:10 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2022-05-06 12:49:22 UTC
The canna systemd service uses a publically accessible directory
/tmp/.iroha_unix for placing a UNIX domain socket in it. The socket is
accessible for all other users in the system.

canna ships a systemd-tmpfiles configuration file to create this directory at
boot time:

/usr/lib/tmpfiles.d/canna-tmpfiles.conf:

```
d /tmp/.iroha_unix 0755 root root -
```

This is necessary, because otherwise arbitrary users in the system could
pre-create this directory as long as cannaserver is not running, and
cannaserver would be using an unsafe directory for placing its socket.

cannaserver itself is attempting to create /tmp/.iroha_unix during startup but
tolerates if the directory already exists. It does not run a sanity check on
the permissions of this directory, however, so it will happily use an unsafe
one. cannaserver does *not* clean up an already existing socket in this
directory, however, it will fail to start instead if the socket already
exists.

The latter was the cause for bug 910933 which has been fixed by changing the
canna.service unit like this:

canna.service:

```
ExecPre=/bin/rm -rf /tmp/.iroha_unix
ExecStart=/usr/sbin/cannaserver -s -u wnn -r /var/lib/canna
ExecStopPost=/bin/rm -rf /tmp/.iroha_unix
```

This counteracts the initial idea of the systemd-tmpfiles configuration,
because now there exist time windows again when /tmp/.iroha_unix is *not*
existing, allowing other local users an attack.

I tested an exploit and it is easily possible to wait for /tmp/.iroha_unix to
be delete via `inotify_wait()` and then create a world-writable directory of
mode 777 but owned by the attacker in its stead. cannaserver will then create
its socket in the unsafe directory, the attacker can delete the socket again
and place its own fake socket there. This means the attacker can intercept
client connections and receive their input data and return back manipulated
data.

I will suggest a fix for this soon. A proper long-term fix is to to change the
directory to /run/canna, there arbitrary users won't be able to stage attacks.
For this the Canna.conf file in the build tree would need to be patched to
change the UnixSockDir setting appropriately.

In this form this is more like a SUSE specific bug. Upstream has no systemd
service files and doesn't seem to suggest any integration for Linux. The
default value for UnixSockDir is a bad one, however. Also there could be more
hardening like sanity checking the socket directory's permissions at startup.
Comment 1 Matthias Gerstner 2022-05-06 13:38:43 UTC
Created attachment 858707 [details]
draft patch to move socket directory to /run/canna
Comment 2 Matthias Gerstner 2022-05-06 13:39:24 UTC
The patch in attachment 858707 [details] is a suggestion on how to fix this.
Comment 3 Johannes Segitz 2022-05-09 13:25:13 UTC
Please use CVE-2022-21950
Comment 4 Hu 2022-05-11 09:29:56 UTC
Affected:
 - SUSE:SLE-12:Update/canna              3.7p3
 - openSUSE:Backports:SLE-15-SP3/canna   3.7p3
 - openSUSE:Backports:SLE-15-SP4/canna   3.7p3
 - openSUSE:Factory/canna                3.7p3
Comment 5 Matthias Gerstner 2022-05-12 07:36:11 UTC
(In reply to cathy.hu@suse.com from comment #4)
> Affected:
>  - SUSE:SLE-12:Update/canna              3.7p3

I don't think SLE-12 is affected, since the `ExecPre` and `ExecStopPost` lines
are missing from the service file there.
Comment 6 Hu 2022-05-12 08:01:04 UTC
Ah thanks, yes you are right. I made a mistake, SUSE:SLE-12:Update/canna is not affected.
Comment 7 Matthias Gerstner 2022-07-05 11:44:56 UTC
Can you please give a time estimation when you will be able to work on this?

According to our openSUSE disclosure policy there's a maximum of 90 days before we publish findings. This means if there is no fix until 2022-08-04 then we'll publish this bug an people will be vulnerable.
Comment 8 Matthias Gerstner 2022-07-05 11:46:24 UTC
Internal CRD: 2022-08-04 or earlier
Comment 9 Matthias Gerstner 2022-07-14 09:12:48 UTC
We now have a whitelisting restriction in place for systemd-tmpfiles
configruation files in openSUSE:Factory. Since canna has a security issue
involving this configuration file I did not whitelist it yet. Thus canna will
start to fail to build in Factory in the future.

In three weeks the embargo date will be reached at which time we will publish
this security issue regardless of whether there is a fix or not.
Comment 10 Matthias Gerstner 2022-08-04 07:58:31 UTC
Publishing this finding now. I will request to remove this package from
Factory as it won't be building any more anyway.

Please fix this issue, any of the maintainers can do it for Factory, qzhao
needs to do it for openSUSE:Backports in SLE.
Comment 11 Cliff Zhao 2022-08-08 16:30:24 UTC
Requests are in:
 - openSUSE:Backports:SLE-15-SP3/canna   3.7p3
   https://build.opensuse.org/request/show/993831

 - openSUSE:Backports:SLE-15-SP4/canna   3.7p3
   https://build.opensuse.org/request/show/993827

 - openSUSE:Factory/canna                3.7p3
   https://build.opensuse.org/request/show/993737
please review.
Comment 12 Swamp Workflow Management 2022-08-16 13:17:08 UTC
openSUSE-SU-2022:10090-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1199280
CVE References: CVE-2022-21950
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    canna-3.7p3-bp153.2.3.1
Comment 13 Swamp Workflow Management 2022-08-16 13:18:11 UTC
openSUSE-SU-2022:10091-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1199280
CVE References: CVE-2022-21950
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    canna-3.7p3-bp154.3.3.1
Comment 14 OBSbugzilla Bot 2022-08-19 08:40:02 UTC
This is an autogenerated message for OBS integration:
This bug (1199280) was mentioned in
https://build.opensuse.org/request/show/998071 Factory / xemacs-packages