[Bug 1032717] New: VUL-0: backintime: usage of deprecated unix-process polkit authorization subject opens a race condition during authorization
http://bugzilla.suse.com/show_bug.cgi?id=1032717 Bug ID: 1032717 Summary: VUL-0: backintime: usage of deprecated unix-process polkit authorization subject opens a race condition during authorization Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: masterpatricko@gmail.com Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: hrvoje.senjan@gmail.com, matthias.gerstner@suse.com Found By: --- Blocker: --- backintime includes a DBus service helper 'qt/serviceHelper.py'. This helper uses polkit to authorize some of its APIs, they should only be accessible through entering the root password. The helper program uses the deprecated "unix-process" authorization subject for this purpose, however. This polkit authorization method is known to be affected by a "time of check, time of use" race condition: https://www.freedesktop.org/software/polkit/docs/latest/PolkitUnixProcess.ht... https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master... To exploit this issue an attacker needs to be able to replace the PID of process that requests an affected polkit privilege by a root owned process, just in time for polkitd to assume that the requesting process was privileged and no further password entry is required. In the worst case this could allow a regular user to add udev rules to the system that run commands in the context of the regular user, once a certain udev event occurs. I don't think it is easily possible to gain root privileges this way. This is because the serviceHelper wraps the udev commands in a sudo call running as the user owning the requesting process. The determination of this identity is done in a different, more secure way. I've proposed a fix to upstream that changes the authorization mechanism to "system-bus-name" which is considered safe and not affected by the described race condition: https://github.com/bit-team/backintime/commit/7f208dc547f569b689c888103e3b59... This issue was discovered by Sebastian Krahmer of the SUSE security team. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1032717 http://bugzilla.suse.com/show_bug.cgi?id=1032717#c1 --- Comment #1 from Matthias Gerstner <matthias.gerstner@suse.com> --- This issue was found in the context of a general security review for backintime in bug 1007723. While this issue on its own is not of high severity the following circumstances call for quick action: - There are more minor and moderate issues like a possible DoS in the DBus service. I've created an upstream pull request addressing multiple issues: https://github.com/bit-team/backintime/pull/727. Updates should be submitted that contains all these fixes plus the patch from attachment 719151. - Affected versions of backintime are currently in Factory, Leap 42.1 and Leap 42.2. All these versions contain the DBus service that was never approved by the security team. This was possible by suppressing the corresponding warnings in the package's rpmlintrc. Please submit fixed versions for Factory, Leap 42.1 and Leap 42.2! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1032717 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1032717 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1032717 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Summary|VUL-0: backintime: usage of |VUL-0: CVE-2017-7572: |deprecated unix-process |backintime: usage of |polkit authorization |deprecated unix-process |subject opens a race |polkit authorization |condition during |subject opens a race |authorization |condition during | |authorization Alias| |CVE-2017-7572 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1032717 http://bugzilla.suse.com/show_bug.cgi?id=1032717#c4 --- Comment #4 from Matthias Gerstner <matthias.gerstner@suse.com> --- (In reply to masterpatricko@gmail.com from comment #2)
Updated package is now in obs://Archiving:Backup/backintime.
Thank you for your effort. Looks good!
Which comes first, the dbus service being added to the whitelist or a Factory submitrequest?
I will submit the whitelisting to factory, once the #sr is there you can submit your package, too. Both submits can then be handled in the same Factory staging project. I will give you an update when you can do this.
perhaps the submission predated the auto review of rpmlintrc's.
We've informed the review team of the situation and they want to investigate on this issue. It's probably some loophole or regression in the checker logic. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1032717 http://bugzilla.suse.com/show_bug.cgi?id=1032717#c5 --- Comment #5 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-SU-2017:1124-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1007723,1032717 CVE References: CVE-2017-7572 Sources used: openSUSE Leap 42.2 (src): backintime-1.1.20-3.3.1 openSUSE Leap 42.1 (src): backintime-1.1.20-3.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1032717 http://bugzilla.suse.com/show_bug.cgi?id=1032717#c6 --- Comment #6 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (1032717) was mentioned in https://build.opensuse.org/request/show/491831 Factory / rpmlint -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1032717 http://bugzilla.suse.com/show_bug.cgi?id=1032717#c7 --- Comment #7 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (1032717) was mentioned in https://build.opensuse.org/request/show/492617 Factory / polkit-default-privs -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1032717 http://bugzilla.suse.com/show_bug.cgi?id=1032717#c8 --- Comment #8 from Matthias Gerstner <matthias.gerstner@suse.com> --- The whitelisting is now in factory. Please submit backtintime to Factory. Thank you. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1032717 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:5537:low -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1032717 http://bugzilla.suse.com/show_bug.cgi?id=1032717#c12 --- Comment #12 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2017:2341-1: An update that has 19 recommended fixes can now be installed. Category: recommended (low) Bug References: 1004346,1007053,1007723,1019748,1032649,1032717,1033296,1033554,1034309,1039290,1039709,1039848,1049694,846337,917781,984817,987141,996111,997880 CVE References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): rpmlint-1.5-41.3.1, rpmlint-mini-1.8-2.2.3 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1032717 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:5537:low | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com