Bug 1192565 (CVE-2014-8169)

Summary: CVE-2014-8169 autofs: priv escalation via interpreter load path for program based automount maps
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, huzaifas, ikent, jrusnack, security-response-team, slawomir, yoyang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that program-based automounter maps that used interpreted languages such as Python would use standard environment variables to locate and load modules of those languages. A local attacker could potentially use this flaw to escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-20 04:35:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1160446, 1162041, 1197971    
Bug Blocks: 1192566, 1193283, 1210268    

Description Kurt Seifried 2015-02-13 17:46:20 UTC 
The Georgia Institute of Technology reports:

When a program map uses an interpreted languages like python it's
possible to load and execute arbitray code from a user home directory.
This is because the standard environment variables are used to locate
and load modules when using these languages.

To avoid that we need to add a prefix to these environment names so
they aren't used for this purpose. The prefix used is "AUTOFS_" and
is not configurable.
Comment 3 Ian Kent 2015-02-27 06:06:24 UTC 
(In reply to Huzaifa S. Sidhpurwala from comment #2)
> 
> This issue affects the version of autofs as shipped with Red Hat Enterprise
> Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of
> the support and maintenance life cycle. This issue is not currently planned
> to be addressed in future updates. For additional information, refer to the
> Red Hat Enterprise Linux Life Cycle:
> https://access.redhat.com/support/policy/updates/errata/.

This is not so.
RHEL 5 is not affected by this issue.
Comment 5 Kurt Seifried 2015-03-02 19:17:24 UTC 
Acknowledgement:


Red Hat would like to thank the Georgia Institute of Technology for reporting this issue.
Comment 8 Huzaifa S. Sidhpurwala 2015-03-25 05:06:31 UTC 
Statement:

This issue does not affect the version of autofs package as shipped with Red Hat Enterprise Linux 5.
Comment 9 errata-xmlrpc 2015-07-22 06:51:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1344 https://rhn.redhat.com/errata/RHSA-2015-1344.html
Comment 13 errata-xmlrpc 2015-11-19 13:00:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2417 https://rhn.redhat.com/errata/RHSA-2015-2417.html