Bug 532940 (CVE-2010-0788)

Summary: CVE-2010-0788 ncpfs: Race condition by mount (ncpmount) / umount (ncpumount) operations
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gdeschner, jbacik, jlayton, kreilly, lemenkov, mjc, security-response-team, ssorce, vcrhonek, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,source=vendorsec,reported=20091024,public=20100126,cvss2=1.7/AV:L/AC:L/Au:S/C:N/I:N/A:P
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: CVE-2010-0787 CVE-2010-0789 (view as bug list) Environment:
Last Closed: 2010-03-26 12:02:33 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 558826    
Bug Blocks:    
Attachments:
Description Flags
Updated FUSE fusermount -u patch by Miklos Szeredi none

Description Jan Lieskovsky 2009-11-04 07:45:35 EST
Several race condition flaws were found in samba-client,
fuse and ncpfs packages:

a, Ronald Volgers found a race condition in the samba-client's
mount.cifs utility. Local, unprivileged user could use this
flaw to conduct symlink attacks, leading to disclosure of 
sensitive information, or, possibly to privilege escalation.

   Upstream bug report:
       https://bugzilla.samba.org/show_bug.cgi?id=6853

  
   Upstream Samba patches:
       http://git.samba.org/?p=samba.git;a=commit;h=3ae5dac462c4ed0fb2cd94553583c56fce2f9d80 http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054 http://git.samba.org/?p=samba.git;a=commit;h=a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5

   Issue severity note for Red Hat Enteprise Linux:
   ------------------------------------------------ 

        The mount.cifs binary, as shipped within samba-client
package on Red Hat Enterprise Linux 4 and 5, is NOT shipped
with setuid root bit enabled by default (local, unprivileged
users on these systems are NOT able to mount custom CIFS
filesystem shares), which mitigates the impact of the vulnera-
bility.

b, Dan Rosenberg found a race condition in the FUSE's fusermount's
utility by performing FUSE filesystem(s) unmount operation (it
was not performed atomically). A local, unprivileged user
could use this flaw to cause a denial of service (unprivileged
unmount of FUSE filesystem share(s) owned by privileged user)
via symlink attack involving FUSE share(s) belonging to privileged
user.

   Issue severity note for Red Hat Enterprise Linux:
   -------------------------------------------------

     The  "fusermount" utility, as shipped within "fuse" package
in Red Hat Enterprise Linux 5 IS shipped with setuid root bit 
enabled by default, but the unprivileged user to be able to
mount custom FUSE filesystem, he needs prior to be the member of
special "fuse" users group (user membership in this group is
granted by privileged user), which mitigates the impact of the
vulnerability.

c, Dan Rosenberg found race conditions in the ncpfs ncpmount 
and ncpumount utilities. Local, unprivileged user could use
these flaws to conduct symlink attacks, leading to denial
of service (ncpumount), disclosure of sensitive information,
or, possibly to privilege escalation (ncpmount).

   Issue severity note for Fedora:
   -------------------------------

     The "ncpmount and ncpumount" utilities, as shipped within
"ncpfs" package in Fedora release of 11 and 12 are NOT shipped
with setuid root bit enabled by default (unprivileged, local
users are NOT able to mount / umount custom remote NCP shares), which
mitigates the impact of the flaws.

Acknowledgements:

Red Hat would like to thank Dan Rosenberg for responsibly
reporting these flaws.
Comment 13 Jan Lieskovsky 2010-01-25 05:22:52 EST
Vulnerable package versions:

a, samba-client (mount.cifs)

   This issue affects the versions of the samba-client package, as shipped
with Red Hat Enterprise Linux 4 and 5. Though the "mount.cifs" binary
on these systems is NOT shipped with setuid root bit enabled by default
(unprivileged user is NOT able to mount custom CIFS shares), which mitigates
the impact of the vulnerability.

   This issue affects the versions of the samba-client package, as shipped
with Fedora 11 and 12. "mount.cifs" binary is NOT shipped with setuid root
bit enabled on these systems.

b, fuse (fusermount -u)

  This issue affects the version of the "fuse" package, as shipped with
Red Hat Enterprise Linux 5. "fusermount" binary IS shipped with setuid
root bit enabled on Red Hat Enteprise Linux 5, but unprivileged user,
to be able to mount custom FUSE filesystem shares, need first to be
member of special "fuse" group (privilege provided by the privileged
user), which mitigates the impact of this vulnerability.

  This issue affects the versions of the "fuse" package, as shipped
with Fedora release of 11 and 12.

c, ncpfs (ncpmount, ncpumount)

  These issues affect the versions of the ncpfs package, as shipped with
Fedora release of 11 and 12. The "ncpmount / ncpumount" binaries are
NOT shipped with setuid root bit enabled by default (unprivileged
user is NOT able to mount / umount custom remote NCP protocol shares), which
mitigates the impact of the vulnerability.
Comment 19 Fedora Update System 2010-01-26 11:07:11 EST
ncpfs-2.2.6-13.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/ncpfs-2.2.6-13.fc12
Comment 21 Fedora Update System 2010-01-26 11:29:29 EST
ncpfs-2.2.6-12.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/ncpfs-2.2.6-12.fc11
Comment 25 Fedora Update System 2010-01-27 12:41:56 EST
samba-3.4.5-55.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/samba-3.4.5-55.fc12
Comment 26 Fedora Update System 2010-01-27 12:46:52 EST
samba-3.4.5-0.47.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/samba-3.4.5-0.47.fc11
Comment 27 Fedora Update System 2010-01-27 19:57:02 EST
ncpfs-2.2.6-13.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2010-01-27 20:03:02 EST
ncpfs-2.2.6-12.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2010-01-28 22:24:34 EST
samba-3.4.5-0.47.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2010-01-28 22:33:26 EST
samba-3.4.5-55.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2010-01-31 20:07:48 EST
fuse-2.8.1-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 32 Fedora Update System 2010-01-31 20:20:02 EST
fuse-2.8.1-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 34 Vincent Danen 2010-03-02 16:02:01 EST
MITRE has rejected the use of CVE-2009-3297 because it was used for samba, ncpfs, and fuse when it should only have been used for Samba.

Instead, new CVEs have been assigned as follows:

CVE-2010-0787: samba
CVE-2010-0788: ncpfs
CVE-2010-0789: fuse
Comment 35 Vincent Danen 2010-03-02 16:57:40 EST
For Samba:

This issue does not affect Red Hat Enterprise Linux 4 and 5 by default as
mount.cifs is not provided with the setuid bit enabled.  If a user has turned
on the setuid bit (via 'chmod +s /sbin/mount.cifs'), they would be affected by
this issue and can workaround the problem by removing the setuid bit.

Red Hat Enterprise Linux 3 does not provide the mount.cifs program.

For FUSE:

This issue does affect Red Hat Enterprise Linux 5 because it does ship fusermount suid root, however the impact of this flaw is minimized due to the fact that only members in group 'fuse' may use it; the executable is owned root:fuse and mode 4750.

Red Hat Enterprise Linux 3 and 4 do not provide the fuse package.

The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw.  More information regarding
issue severity can be found here:

http://www.redhat.com/security/updates/classification/
Comment 36 Vincent Danen 2010-03-26 12:02:33 EDT
This bug has been split out so that each CVE has its own bug.  Please see:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0787 for Samba

and

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0789 for fuse

As updated packages for ncpfs have been pushed for Fedora, this bug is resolved.