Bug 1697473

Summary: NetworkManager: Incorrect whitespace filtering on the NAME attribute leading to code execution
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: atragler, bgalvani, dcbw, fgiudici, gnome-sig, john.j5live, lkundrak, lrintel, mclasen, rhughes, rkhan, rschiron, rstrode, sandmann, security-response-team, sukulkar, thaller
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-16 14:32:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1697474    

Description Andrej Nemec 2019-04-08 13:37:13 UTC 
With write permissions on the folder/etc/syconfig/network-scripts an authenticated user can execute code on the local machine to gain root access by abusing this vulnerability in NetworkManager. Network Manager is not filtering the NAME attribute in network-scripts which follows in code execution as root user.
Comment 1 Thomas Haller 2019-04-08 14:30:41 UTC 
is there more information about this? This description is not enough (for me) to understand the issue.
Comment 4 Thomas Haller 2019-04-09 06:42:39 UTC 
From the provided information, this does not look like a NetworkManager bug.


As the attacker requires root permissions, the severity of this is not high to begin with.

Regardless of that, NetworkManager *MUST* not execute code from ifcfg-files and this is something that we very much would want to fix.


But I don't see how that could be happening. Please provide more information how to reproduce this.


Note that initscripts indeed do execute the ifcfg files as shell scripts (by sourcing them). That means any of

    - ifup eth1
    - systemctl restart network.service
    - boot with network.service enabled

lets initscripts execute ifcfg files as scripts. The bug very much apply to initscripts: initscripts execute the ifcfg as shell scripts. There is no surprise there and not a vulnerability (since only root can write these files).

The question is, whether NetworkManager does that too (it MUST not!).

So, when reproducing the issue, please make sure that initscripts are not enabled (or that it's really NetworkManager executing the code).
Comment 5 Thomas Haller 2019-04-16 09:19:51 UTC 
rschirone reproduced the issue.

If you craft malicious ifcfg files, then /etc/NetworkManager/dispatcher.d/11-dhclient will source them. Even with network.service disabled.

It's clear that network.service sources/executes ifcfg files are shell scripts. That is how initscripts work at their core.
I find it unfortunate, that "dhcp-client" package installs a dispatcher scripts that also does that -- even with "network.service" disabled.


Note when NetworkManager writes ifcfg files to disk, it aims to preserve preexisting content of the file (like comments and shell variables it doesn't understand). However, it takes special care that the resulting file only contains comments, empty lines, and assignment of shell variables. That is, it will comment out lines that would be executable code: https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/settings/plugins/ifcfg-rh/shvar.c?id=f917fabde40f36332ab1d15d89eaaaa49cd9482f#n1427
Comment 6 Lubomir Rintel 2019-04-16 14:07:14 UTC 
Just so that it's absolutely clear: This is *not* a security issue.

Writing arbitrary ifcfg files is a privileged action and only a super-user can do that. There's no privilege escalation.

That's how about all /etc/sysconfig/ files worked in pre-systemd times (they were sourced by the init scripts), and that users now find that unexpected is progress of a kind. For RHEL 8 we default to using an internal DHCP client instead of dhcp-client, getting rid of this antiquated behavior.

This should be closed with NOTABUG.
Comment 7 Riccardo Schirone 2019-04-16 14:32:38 UTC 
Making the bug public because it was already made public by the reporter at https://seclists.org/fulldisclosure/2019/Apr/24 .

As previously said, this is not a flaw, since files in /etc/sysconfig/network-script are correctly protected by being owned by root and writable by root only. I'm closing this bug report as NOTABUG for the reasons mentioned in comment 4, comment 5 and comment 6.