Bug 2257722 (CVE-2024-22365)
| Summary: | CVE-2024-22365 pam: allowing unprivileged user to block another user namespace | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pam 1.6.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in Linux PAM. An unprivileged user that is not yet in a corresponding mount namespace with ~/tmp mounted as a polyinstantiated dir can place a FIFO there, and a subsequent attempt to login as this user with `pam_namespace` configured will cause the `openat()` in `protect_dir()` to block the attempt, causing a local denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2257717 | ||
Upstream fix: https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2438 https://access.redhat.com/errata/RHSA-2024:2438 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3163 https://access.redhat.com/errata/RHSA-2024:3163 |
The pam_namespace module allows to setup "polyinstantiated directories" when setting up a user's session during login. The typical example is setting up a private /tmp and/or /var/tmp for every user. To achieve this a separate mount namespace is setup during login and a bind mount is performed in configured locations. Different methods are offered for this like a fixed per-user directory that is bind mounted (i.e. per-user contents are persistent and shared between sessions) or an ephemeral temporary directory (contents are lost after a session is closed). The PAM module explicitly supports bind mounting of polyinstantiated directories in user controlled locations, like beneath the user's home directory. Operating with root privileges in user controlled directories comes with a lot of dangers. To avoid them the function `protect_dir()` implements a special algorithm to protect the target path of a bind mount. The function follows the target path for the bind mount starting from the file system root. Each path component that is under non-root control is protected from user manipulation, by bind mounting the path upon itself. There is one bit missing though: The algorithm is not passing the `O_DIRECTORY` flag to `openat()` and is thus subject to special files like FIFOs being placed in user controlled directories. This can easily be reproduced e.g. using this configuration entry in the `namespace.conf` configuration file: $HOME/tmp /var/tmp/tmp-inst/ user:create root An unprivileged user (that is not yet in a corresponding mount namespace with ~/tmp mounted as a polyinstantiated dir) can now place a FIFO there: nobody$ mkfifo $HOME/tmp A subsequent attempt to login as this user with `pam_namespace` configured will cause the `openat()` in `protect_dir()` to block, causing a local denial of service.