Bug 2167743 (CVE-2022-37704)

Summary: CVE-2022-37704 amanda: rundump: crafted arguments can lead to local privilege escalation
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jridky, pcahyna
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Amanda. The `rundump` SUID binary executes /usr/sbin/dump as root without properly validating its arguments, possibly leading to escalation of privileges from the regular user "amandabackup" to root.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2168796, 2168789, 2168790, 2168791, 2168792, 2168793, 2168794, 2168795    
Bug Blocks: 2167399    

Description TEJ RATHI 2023-02-07 12:42:35 UTC 
Amanda 3.5.1 has a flaw that allows privilege escalation from the regular user backup to root. The SUID binary located at /lib/amanda/rundump will execute /usr/sbin/dump as root with controlled arguments from the attacker which may lead to escalation of privileges, denial of service, and information disclosure.

https://github.com/MaherAzzouzi/CVE-2022-37704
https://github.com/zmanda/amanda/issues/192
https://marc.info/?l=amanda-hackers&m=167437716918603&w=2
Comment 1 Sandipan Roy 2023-02-10 04:44:43 UTC 
Created amanda tracking bugs for this issue:

Affects: fedora-all [bug 2168789]
Comment 3 Pavel Cahyna 2023-02-10 13:02:33 UTC 
I believe the discussion under https://bugzilla.redhat.com/show_bug.cgi?id=2167744#c4 applies equally here.
Comment 4 Mauro Matteo Cascella 2023-02-27 16:24:19 UTC 
Upstream PRs & commits:

https://github.com/zmanda/amanda/pull/197
https://github.com/zmanda/amanda/commit/e890d08e16ea0621966a7ae35cce53ccb44a472e
https://github.com/zmanda/amanda/commit/ecf1d6e82a7d0ffe0a826a40a6d6ce4c112fea67

https://github.com/zmanda/amanda/pull/205
https://github.com/zmanda/amanda/pull/205/commits/b930189c06290a23aba177687b2f123590323be1
Comment 6 Mauro Matteo Cascella 2023-02-27 18:11:49 UTC 
In reply to comment #3:
> I believe the discussion under
> https://bugzilla.redhat.com/show_bug.cgi?id=2167744#c4 applies equally here.

To back this up:

el8 ~ $ dnf install amanda-client
el8 ~ $ ls -l /usr/lib64/amanda/rundump
-rwsr-x---. 1 root disk 17208 Aug 12  2018 /usr/lib64/amanda/rundump