Bug 1362545 (CVE-2016-5425)

Summary: CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, asantos, aszczucz, bbaranow, bdawidow, bmaxwell, ccoleman, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dedgar, dmcphers, dosoudil, felias, fnasser, gvarsami, hfnukal, hhorak, jason.greene, jawilson, jclere, jcoleman, jdoyle, jgoulding, jialiu, joelsmith, jokerman, jolee, jorton, jpallich, jshepherd, kanderso, kconner, ldimaggi, lgao, lmeyer, mbabacek, mbaluch, miburman, mizdebsk, mmccomas, mnewsome, mschmidt, mweiler, myarboro, netwiz, nobody+bgollahe, nwallace, ohudlick, pavelp, pgier, psakar, pslavice, rnetuka, rsvoboda, rwagner, rzima, security-response-team, spinder, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-10 20:44:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1362567, 1362568, 1383210    
Bug Blocks: 1362547    

Description Adam Mariš 2016-08-02 13:16:44 UTC 
It was reported that Tomcat packages in Red Hat Enterprise Linux 7 are vulnerable to local privilege escalation from tomcat group user to root. Tomcat configuration file located at /usr/lib/tmpfiles.d/tomcat.conf can be modified by any user belonging to tomcat group. This file is used by /usr/bin/systemd-tmpfiles service to create temporary files.

As the systemd-tmpfiles service runs with root permissions, this enables the tomcat user to gain root privileges by editing the /usr/lib/tmpfiles.d/tomcat.conf file to contain a line which will cause the systemd-tmpfiles to create files within arbitrary system directory and arbitrary permissions.

External Reference:

http://legalhackers.com/advisories/Tomcat-RedHat-based-Root-Privilege-Escalation-Exploit.txt
Comment 1 Adam Mariš 2016-08-02 13:17:37 UTC 
Acknowledgments:

Name: Dawid Golunski (http://legalhackers.com)
Comment 9 Adam Mariš 2016-10-10 08:14:44 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1383210]
Comment 10 Adam Mariš 2016-10-10 08:15:40 UTC 
Public via:

http://seclists.org/oss-sec/2016/q4/78
Comment 11 Steven Haigh 2016-10-10 09:19:53 UTC 
Out of interest, would SELinux policy prevent the tomcat user from writing to this file anyway?
Comment 12 Michal Schmidt 2016-10-10 09:38:56 UTC 
I'm afraid it won't. Query the SELinux policy:

$ sesearch --allow -s tomcat_t -t lib_t -c file -p write
Found 1 semantic av rules:
   allow files_unconfined_type file_type : file { [...] write [...] } ;

It appears tomcat_t has the files_unconfined_type attribute, which means the SELinux policy puts very little restrictions on it.
Comment 13 errata-xmlrpc 2016-10-10 20:41:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html