Bug 1552641 (CVE-2018-7738)

Summary: CVE-2018-7738 util-linux: Shell command injection in unescaped bash-completed mount point names
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, jonathan, kzak, rschiron, slawomir, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: util-linux 2.32-rc1 Doc Type: If docs needed, set a value
Doc Text:
A command injection flaw was found in the way util-linux implements umount autocompletion in Bash. An attacker with the ability to mount a filesystem with custom mount points may execute arbitrary commands on behalf of the user who triggers the umount autocompletion.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-15 08:47:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1552642, 1555306    
Bug Blocks: 1552647    

Description Pedro Sampaio 2018-03-07 13:24:06 UTC 
In util-linux before 2.32-rc1, bash-completion/umount does not correctly escape
special characters embedded in mountpoint names, which may allow an attacker to
execute arbitrary shell commands on behalf of the victim user by mounting
filesystems in specially crafted mountpoints. For the vulnerability to be
triggered, the victim user has to use autocompletion while running the
umount command.

An attacker may be able to mount filesystems with custom mountpoints by
connecting a USB device with a crafted Volume name, by using UDisks2, FUSE or
with the help of desktop environments.

Upstream issue:

https://github.com/karelzak/util-linux/issues/539

Upstream patch:

https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179
Comment 1 Pedro Sampaio 2018-03-07 13:24:35 UTC 
Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 1552642]
Comment 2 Karel Zak 2018-03-08 09:23:25 UTC 
Well, it's pretty poor design if we have system component (udisks?) which is able to blindly create a mountpoint according to request from unprivileged user.

This is impossible without udisk, because standard way is to specify mountpoint in fstab and system admin has full control on mountpoint name.
Comment 3 Riccardo Schirone 2018-03-08 14:55:18 UTC 
I wasn't able to reproduce the issue on Fedora/RHEL as specified in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179, because udisks2 uses polkit for authorization checks and, on Fedora 27 and RHEL 7.4, the polkit action for "org.freedesktop.udisks2.filesystem-mount-system" requires admin authentication.

I'm still investigating if there are other ways to have the same result, but for sure udisks2 is used when you insert an USB device and in that case it does not require any authentication to mount the filesystem.
Comment 4 Karel Zak 2018-03-09 12:53:22 UTC 
I didn't try to reproduce this issue -- I read the Debian report only.

The problem is not authentication, but core of the problem is mountpoint (directory) name. It's bad if unprivileged user has full control on this.

From my point of view it's strange report. The core of the problem is something else that the bash-completion script. Unfortunately, nobody has talked about it with upstream before CVE allocation...

The bash-completion script is fixed now, are fixed also all another (3rd-party) scripts? I don't think so...

Thanks for investigation, let's hope we're better than Debian :-)
Comment 7 Riccardo Schirone 2018-03-15 08:46:45 UTC 
Statement:

This issue did not affect the versions of util-linux as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include support for umount autocompletion.