Bug 1705340 (CVE-2019-10143)

Summary: CVE-2019-10143 freeradius: privilege escalation due to insecure logrotate configuration
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ascheel, dpal, kdudka, lemenkov, nikolai.kondrashov, pkis, rharwood
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was discovered freeradius does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 00:52:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1705343, 1719368, 1719369    
Bug Blocks: 1705341    

Description Marian Rehak 2019-05-02 06:06:39 UTC 
A reverse-shell facilitating situation due to insecure logrotate configuration leading to privilege escalation.
Comment 1 Marian Rehak 2019-05-02 06:14:12 UTC 
Created freeradius tracking bugs for this issue:

Affects: fedora-all [bug 1705343]
Comment 3 Riccardo Schirone 2019-05-23 14:30:39 UTC 
It is possible for the radiusd user to abuse logrotate to write files in directories normally writable only by root (or other users). freeradius uses logrotate to rotate its logs, but if the radiusd user replaces its log directory with a link to another directory, he could writes file in directories where he normally could not write, possibly leading to code execution as root.

Given the attack can be performed only from the radiusd user, Privilege Required(PR) in CVSSv3 is set to High(H).
Moreover, if SELinux is enabled it restricts the set of directories the attacker can writes to.
Comment 5 Riccardo Schirone 2019-05-23 15:14:27 UTC 
Upstream patch:
https://github.com/FreeRADIUS/freeradius-server/pull/2666
Comment 7 Riccardo Schirone 2019-05-28 16:21:21 UTC 
Mitigation:

Add `su radiusd:radiusd` to all log sections in /etc/logrotate.d/radiusd.

By keeping SELinux in "Enforcing" mode, radiusd user will be limited in the directories he can write to.
Comment 8 Riccardo Schirone 2019-06-04 07:51:54 UTC 
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1705143
Comment 9 Riccardo Schirone 2019-06-11 15:26:32 UTC 
Red Hat Enterprise Linux 5, 6, 7, and 8 are all affected as the logrotate configuration does not use `su radiusd:radiusd` to copy files as the radiusd user.
Comment 11 Riccardo Schirone 2019-06-11 15:32:41 UTC 
This flaw requires an attacker to already have control of the radiusd server to perform the attack. However, an attacker who was able to execute code as the radiusd user (e.g. by exploiting a code execution flaw in the radius server) can run the attack and elevate his privileges to root.
Comment 13 errata-xmlrpc 2019-11-05 20:40:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3353 https://access.redhat.com/errata/RHSA-2019:3353
Comment 14 Product Security DevOps Team 2019-11-06 00:52:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10143
Comment 15 errata-xmlrpc 2020-09-29 20:20:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3984 https://access.redhat.com/errata/RHSA-2020:3984