Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 638186 (CVE-2017-16882) - <net-analyzer/icinga-1.14.2: root privilege escalation via insecure permissions
Summary: <net-analyzer/icinga-1.14.2: root privilege escalation via insecure permissions
Status: RESOLVED FIXED
Alias: CVE-2017-16882
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/Icinga/icinga-core...
Whiteboard: B1 [glsa+ cve]
Keywords:
: 629282 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-11-19 21:52 UTC by Michael Orlitzky
Modified: 2020-07-27 00:28 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
proposed patch (icinga.patch,4.73 KB, patch)
2017-11-22 02:54 UTC, Matthew Thode ( prometheanfire )
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-11-19 21:52:09 UTC
Finally your icinga-1.x counterpart to bug 629380. The problem here is the same as it was with nagios, except you have a few more affected files thanks to ido2db. From the summary,

  Icinga installs two sets of files with insecure permissions: after 
  installation, the executables and the configuration files are all
  owned by the same unprivileged user and group (typically, icinga)
  that the daemon runs as. In one attack, the unprivileged user simply
  replaces the icinga executable with one that does his bidding. A
  slightly more complicated attack can be mounted by the unprivileged
  user by scheduling a malicious service check and then altering icinga.cfg
  to execute that check as root.

  The ido2db daemon and its sample configuration file have the same issue. 

And the tl;dr is to install everything as root:root unless icinga needs to write to it at runtime (not a lot of places). You can see how I fixed this for nagios-core by diffing nagios-core-4.3.3.ebuild against nagios-core-4.3.4.ebuild, but the new src_install in v4.3.4 is pretty easy to read, and you might be better off doing src_install from scratch.

As with nagios-core, we'll have to tell users how to secure their existing installations, because portage won't overwrite the existing owner/group.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-11-22 02:22:06 UTC
at least with icinga the src-install install's unstripped by default, but working on it now
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-11-22 02:54:44 UTC
Created attachment 505596 [details, diff]
proposed patch

I don't run icinga anymore (moved entirely to icinga2), not sure who to get to test this as this point, but everything is moved to root:root like nagios.
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-12-03 03:35:02 UTC
OK, committed it as a revbump to 1.14.0, but as this isn't the best tested I'll wait a month before asking for stable.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2017-12-03 15:38:46 UTC
prometheanfire:
Here's an issue I see:
fowners icinga:icinga /etc/icinga/eventhandlers
Is later overwritten by
fowners -R root:root /etc/icinga/


If eventhandlers doesn't need icinga:icinga, just kill that first line?
Comment 5 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-12-03 17:55:20 UTC
Doesn't seem like a hard issue, but it should be simplified, I'll comment it out for now though.
Comment 6 Michael Orlitzky gentoo-dev 2017-12-05 01:29:52 UTC
*** Bug 629282 has been marked as a duplicate of this bug. ***
Comment 7 Michael Orlitzky gentoo-dev 2017-12-26 23:56:20 UTC
Most of the permissions/ownership should be fixed in the latest v1.14.2, so that you no longer need to run fperms/fowners a million times.
Comment 8 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-12-30 17:38:33 UTC
1.14.2 is stable and the old bad versions are removed.

cleaned up, removing me from cc
Comment 9 D'juan McDonald (domhnall) 2019-07-17 02:46:39 UTC
Clean up done... @security please proceed.

Keywords for net-analyzer/icinga:
       |                               a   |       |  
       |                               m   |       |  
       |                               d x |       |  
       |                               6 8 |       |  
       |                               4 6 |   u   |  
       | a a   a     p r           s   | | |   n   |  
       | l m   r i   p i   h m s   p m f f | e u s | r
       | p d a m a p c s x p 6 3   a i b b | a s l | e
       | h 6 r 6 6 p 6 c 8 p 8 9 s r p s s | p e o | p
       | a 4 m 4 4 c 4 v 6 a k 0 h c s d d | i d t | o
-------+-----------------------------------+-------+-------
1.14.2 | o + ~ o o + + o + ~ o o o o o o o | 6 o 0 | gentoo
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:28:31 UTC
This issue was resolved and addressed in
 GLSA 202007-31 at https://security.gentoo.org/glsa/202007-31
by GLSA coordinator Sam James (sam_c).