Bug 1002375 (CVE-2013-4288)

Summary: CVE-2013-4288 polkit: unix-process subject for authorization is racy
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: berrange, carnil, cfergeau, eblake, hdegoede, jdenemar, jkurik, jlieskov, jrusnack, kay, lpoetter, mitr, pmatouse, pvrabec, security-response-team, walters, zeuthen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20130918,reported=20130828,source=distros,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,rhel-6/polkit=affected,rhel-7/polkit=notaffected,fedora-all/polkit=affected,cwe=CWE-362
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1005135, 1006262, 1006264, 1009538    
Bug Blocks: 1002376    
Description Flags
polkit patch
spice-gtk patch
hplip patch
rtkit patch
systemd.patch none

Description Vincent Danen 2013-08-29 00:02:35 EDT
Sebastian Krahmer reported a race condition in the polkit unix-process subject for authorization. It depended on the (PID, startup_time) pair to be passed to pokkit, which then used /proc/PID/status to find the UID the process belongs to. A local attacker could exploit this issue via a polkit enabled application, by starting a suid or pkexec process, changing the eud and/or uid at will. This could result in bypass polkit authorizations or even privilege escalation in some cases.
Comment 11 Huzaifa S. Sidhpurwala 2013-09-08 23:09:49 EDT
Created attachment 795472 [details]
polkit patch
Comment 12 Huzaifa S. Sidhpurwala 2013-09-08 23:11:39 EDT
Created attachment 795473 [details]
spice-gtk patch

Instead of using polkit_unix_process_new() which can be racy, spice-gtk is modified to use polkit_unix_process_new_for_owner()
Comment 13 Huzaifa S. Sidhpurwala 2013-09-08 23:13:53 EDT
Created attachment 795474 [details]
hplip patch

hplip invokes polkit via dbus, the patch passes system-bus-name as subject, not pid to polkit
Comment 14 Huzaifa S. Sidhpurwala 2013-09-08 23:15:57 EDT
Created attachment 795475 [details]
rtkit patch

Pass uid of caller to polkit
Comment 15 Huzaifa S. Sidhpurwala 2013-09-08 23:16:34 EDT
Created attachment 795476 [details]
Comment 16 Huzaifa S. Sidhpurwala 2013-09-08 23:32:43 EDT
As per polkit documentation:

"polkit applications are applications using the polkit authority as a decider component. They do this by installing a .policy file into the /usr/share/polkit-1/actions directory and communicating with the polkit authority at runtime (either via the D-Bus API or indirectly through the libpolkit-gobject-1 library or the pkcheck command)."

So the attached pokit patch attempts to address this issue in all the 3 ways by which the polkit authority is invoked.

1. libpolkit-gobject-1:
polkit_unix_process_new() is deprecated and is polkit_unix_process_new_for_owner() should now be used in its place. This way we avoid a race condition if the parent execve()s a setuid program.

2. dbus API:
Modify dbus API to accept system-bus-name as subject, not pid

3. pkcheck:
Modify pkcheck: Support --process=pid,start-time,uid

Based on the above changes consumers of polkit using specific API are also changed.

spice-gtk: Uses polkit_unix_process_new(), changed to now use polkit_unix_process_new_for_owner()

hplip/rtkit/systemd: Used dbus, modified to use the new dbus syntax.

libvirt: Uses pkcheck, modified to use newer pkcheck syntax, major changes were made to incorporate the new change.
Comment 17 Colin Walters 2013-09-09 17:19:10 EDT
(In reply to Huzaifa S. Sidhpurwala from comment #11)
> Created attachment 795472 [details]
> polkit patch

Note I recommend that clients only update with patches 1 and 2 here - 3 and 4 are merely cleanups that I want to do as a separate step.  Or really, only patch 2 is needed.

I've updated my git repository to reflect that by moving 1,3,4 to a separate cleanups/ directory.
Comment 20 Huzaifa S. Sidhpurwala 2013-09-11 01:51:50 EDT

The components described in Comment #16 are also affected by this flaw. They have been assigned separate CVEs as per the following:

CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API
CVE-2013-4324 spice-gtk: use of insecure polkit libgobject-1 API
CVE-2013-4325 hplip: use of insecure polkit DBUS API
CVE-2013-4326 rtkit: use of insecure polkit DBUS API
CVE-2013-4327 systemd: use of insecure polkit DBUS API
Comment 21 Murray McAllister 2013-09-16 23:59:14 EDT

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.
Comment 22 Vincent Danen 2013-09-18 11:07:37 EDT
This is now public:

Comment 23 Vincent Danen 2013-09-18 11:24:12 EDT
Created polkit tracking bugs for this issue:

Affects: fedora-all [bug 1009538]
Comment 24 errata-xmlrpc 2013-09-19 14:10:14 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1270 https://rhn.redhat.com/errata/RHSA-2013-1270.html
Comment 25 Fedora Update System 2013-09-20 12:22:34 EDT
polkit-0.112-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2013-09-22 00:28:04 EDT
polkit-0.107-6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2013-09-22 20:12:24 EDT
polkit-0.112-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.