Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603382 (CVE-2017-16638) - <net-misc/vde-2.3.2-r4: privilege escalation via init script
Summary: <net-misc/vde-2.3.2-r4: privilege escalation via init script
Status: RESOLVED FIXED
Alias: CVE-2017-16638
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-21 21:08 UTC by Michael Orlitzky
Modified: 2017-11-12 22:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
vde.init-r1 (vde.init-r1,728 bytes, text/plain)
2017-08-18 23:38 UTC, Michael Orlitzky
Details
vde.confd-r1 (vde.confd-r1,258 bytes, text/plain)
2017-08-18 23:40 UTC, Michael Orlitzky
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2016-12-21 21:08:36 UTC
The init script for vde changes ownership of the /var/run/vde.ctl directory:

  VDE_SOCK_CHMOD="770"
  VDE_SOCK_CHOWN=":qemu"
  ...
  chmod -R ${VDE_SOCK_CHMOD} /var/run/vde.ctl
  chown -R ${VDE_SOCK_CHOWN} /var/run/vde.ctl

The first time around, that's probably safe. However, the second time around, root is using "chown" on files controlled by the qemu group, and that can unintentionally grant that group root access.

For example, if I add my local "mjo" user to the qemu group, and if I'm running vanilla-sources, I can do:

  while true; do \
    ln -f /run/ntpd.sock /var/run/vde.ctl/ctl; \
  done;

to repeatedly hard-link the vde socket to the root-owned ntpd socket (a silly choice, but avoids issues with cross-filesystem hardlink restrictions). If I start VDE while that loop is executing, the init script will call chown/chmod on my hardlink, and change the permissions of ntpd.sock:

  $ ls /run | grep ntpd
  -rw-r--r--  1 root     root        5 2016-12-20 17:06 ntpd.pid
  srwxrwx---  2 root     qemu        0 2016-12-20 17:06 ntpd.sock
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-12-22 18:05:40 UTC
@mjo: Please keep in mind that assigning aliases to CC on security related bug reports does not grant anyone access, and as such should not be used.

For the rest of the report, please see also bug 540006 for similar hardening in checkpath which mitigates this attack as well as includes discussion on the kernel mitigation in gentoo-sources for this attack
Comment 2 Michael Orlitzky gentoo-dev 2017-08-18 23:38:50 UTC
Created attachment 489566 [details]
vde.init-r1
Comment 3 Michael Orlitzky gentoo-dev 2017-08-18 23:40:21 UTC
Created attachment 489568 [details]
vde.confd-r1

Here are two reworked init.d/conf.d files that I think do the right thing, and a lot cleaner (and without this vulnerability).

Can the maintainer please take a look? I'm not a user of vde myself so I may have missed something subtle.
Comment 4 Michael Orlitzky gentoo-dev 2017-08-18 23:44:52 UTC
It looks like this got new maintainers since I filed the bug. Jorge, please see if my init script could work.
Comment 5 Adam Feldman gentoo-dev 2017-09-20 22:26:58 UTC
commit 6f1fcfa83b146bdca6c5def233e63c14a0c89d7d (HEAD -> master, origin/master, origin/HEAD)
Author: NP-Hardass <NP-Hardass@gentoo.org>
Date:   Wed Sep 20 18:04:09 2017 -0400

    profiles: base/package.use.mask package.mask: Drop net-misc/vde masks

    Acked-By: mjo@gentoo.org
    Bug: https://bugs.gentoo.org/603382

commit 26fdd489e493639d3ecc5bfb58175cb04828c15b
Author: NP-Hardass <NP-Hardass@gentoo.org>
Date:   Wed Sep 20 17:57:57 2017 -0400

    net-misc/vde: Drop vulnerable versions

    Bug: https://bugs.gentoo.org/603382
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

commit bd4f1fb99926525dd935c37f4ec35fd963d43e4a
Author: NP-Hardass <NP-Hardass@gentoo.org>
Date:   Wed Sep 20 17:57:05 2017 -0400

    net-misc/vde: 2.3.2-r4 stable for amd64, x86

    Package-Manager: Portage-2.3.8, Repoman-2.3.3

commit 487449d882b95ff9d88657746ee835553e461a27
Author: NP-Hardass <NP-Hardass@gentoo.org>
Date:   Wed Sep 20 17:48:21 2017 -0400

    net-misc/vde: Revbump to 2.3.2-r4, EAPI bump

    Acked-By: mjo@gentoo.org
    Bug: https://bugs.gentoo.org/603382
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

Only waiting on a ppc stabilization to bring it back to where it was, pre-mask
Comment 6 Michael Orlitzky gentoo-dev 2017-09-29 16:56:32 UTC
This is all good (thanks to np-hardass), can it please be made public so that I can reference it in the CVE request?
Comment 7 Michael Orlitzky gentoo-dev 2017-10-24 21:16:06 UTC
(In reply to Michael Orlitzky from comment #6)
> This is all good (thanks to np-hardass), can it please be made public so
> that I can reference it in the CVE request?

Ping =)
Comment 8 Adam Feldman gentoo-dev 2017-10-24 22:59:08 UTC
(In reply to NP-Hardass from comment #5)
> commit 6f1fcfa83b146bdca6c5def233e63c14a0c89d7d (HEAD -> master,
> origin/master, origin/HEAD)
> Author: NP-Hardass <NP-Hardass@gentoo.org>
> Date:   Wed Sep 20 18:04:09 2017 -0400
> 
>     profiles: base/package.use.mask package.mask: Drop net-misc/vde masks
> 
>     Acked-By: mjo@gentoo.org
>     Bug: https://bugs.gentoo.org/603382
> 
> commit 26fdd489e493639d3ecc5bfb58175cb04828c15b
> Author: NP-Hardass <NP-Hardass@gentoo.org>
> Date:   Wed Sep 20 17:57:57 2017 -0400
> 
>     net-misc/vde: Drop vulnerable versions
> 
>     Bug: https://bugs.gentoo.org/603382
>     Package-Manager: Portage-2.3.8, Repoman-2.3.3
> 
> commit bd4f1fb99926525dd935c37f4ec35fd963d43e4a
> Author: NP-Hardass <NP-Hardass@gentoo.org>
> Date:   Wed Sep 20 17:57:05 2017 -0400
> 
>     net-misc/vde: 2.3.2-r4 stable for amd64, x86
> 
>     Package-Manager: Portage-2.3.8, Repoman-2.3.3
> 
> commit 487449d882b95ff9d88657746ee835553e461a27
> Author: NP-Hardass <NP-Hardass@gentoo.org>
> Date:   Wed Sep 20 17:48:21 2017 -0400
> 
>     net-misc/vde: Revbump to 2.3.2-r4, EAPI bump
> 
>     Acked-By: mjo@gentoo.org
>     Bug: https://bugs.gentoo.org/603382
>     Package-Manager: Portage-2.3.8, Repoman-2.3.3
> 
> Only waiting on a ppc stabilization to bring it back to where it was,
> pre-mask

I should clarify that we dropped stable keywords for ppc in the interim.  We shouldn't be waiting on anything to move forward, AFAICT.
Comment 9 Michael Orlitzky gentoo-dev 2017-11-06 22:53:43 UTC
This was assigned CVE-2017-16638 so I think it's ready for security@ to finish up.
Comment 10 D'juan McDonald (domhnall) 2017-11-07 02:30:19 UTC
CVE-2017-16638 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16638):
The Gentoo net-misc/vde package before version 2.3.2-r4 may allow members of the "qemu" group to gain root privileges by creating a hard link in a directory on which "chown" is called recursively by the OpenRC service script.


@maintainer(s), proceed with stable-bot for: =net-misc/vde: Revbump to 2.3.2-r4

@security, Summary changed. Whiteboard changed. Severity changed. Vote changed.

Personally have never used package either. Change set attributes to object.


Gentoo Security Padawan:
(jmbailey/mbailey_j)
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-07 14:12:27 UTC
Thank you all,

New GLSA Request filled.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-11-12 22:35:24 UTC
This issue was resolved and addressed in
 GLSA 201711-11 at https://security.gentoo.org/glsa/201711-11
by GLSA coordinator Christopher Diaz Riveros (chrisadr).