Bug 550172 (CVE-2009-4273, CVE-2010-0412)

Summary: CVE-2009-4273 systemtap: remote code execution via stap-server
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: brolley, fche, jistone, kreilly, qe-baseos-apps, rcvalle, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-29 16:07:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 556564, 556565    
Bug Blocks:    

Description Vincent Danen 2009-12-23 21:54:37 UTC 
A flaw was found in the "stap-server" network compilation server, an optional part of systemtap.  Part of the server is written in bash and does not adequately sanitize its inputs, which are essentially full command line parameter sets from a client.  Remote users may be able to abuse quoting/spacing/metacharacters to execute shell code on behalf of the compile server process/user (normally a fully unprivileged synthetic userid).

There is currently no fix available.  To work-around this issue, avoid running the stap-server program on a network with untrusted users.

[1] http://sourceware.org/PR11105
Comment 6 Vincent Danen 2010-01-15 19:36:23 UTC 
This is CVE-2009-4273.
Comment 9 Fedora Update System 2010-01-16 00:31:20 UTC 
systemtap-1.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/systemtap-1.1-1.fc11
Comment 10 Fedora Update System 2010-01-16 00:31:25 UTC 
systemtap-1.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/systemtap-1.1-1.fc12
Comment 11 Fedora Update System 2010-01-17 02:52:50 UTC 
systemtap-1.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-01-17 02:54:58 UTC 
systemtap-1.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Vincent Danen 2010-01-22 22:44:24 UTC 
systemtap 0.6.2 in EL4 does not have server functionality at all and as a result is unaffected by this issue.
Comment 16 Frank Ch. Eigler 2010-02-03 20:45:43 UTC 
We have identified a few additional cases where the fix above is not sufficient.
We are working on a workaround that involves only changes to configuration files
(rather than compiled code).  Shall we handle this with a whole separate advisory
or an update to this one?
Comment 21 Vincent Danen 2010-02-04 21:47:21 UTC 
Ok, but this doesn't make the CVE-2009-4273 fix incomplete, right?  Since this is not due to unsanitized input in a shell script, but rather due to an issue with the Makefile (or how make is run?).  This would probably be considered a separate flaw and would need another CVE if I'm understanding this correctly.

So I wouldn't say the original fix was incomplete, but rather that this is a separate, yet similar, issue (am I correct in assuming that if you fixed this, but _not_ this original issue, that the original issue would still exist?  Or would fixing this _also_ fix the original issue?  That distinction is probably what would decide whether this is a separate CVE or not).
Comment 22 Frank Ch. Eigler 2010-02-04 21:52:37 UTC 
The 'make' invocation we are talking about is done via the chain
stap-server -> stap -> make, at the server at run time.  This is
not the 'make' of the software itself, but again, a 'make' 
invoked at run time, as a consequence of how systemtap works.

For the original issue, we secured only the first link
(stap-server -> stap) to avoid unintentional eval's.  However,
this second link (stap -> make) also exists, and make is all
too happy to eval just about anything, so we need to sanitize
its inputs too.

So yes, it is another instance of the original issue.
Comment 25 Vincent Danen 2010-02-05 16:44:15 UTC 
I've assigned CVE-2010-0412 for the "incomplete fix of CVE-2009-4273".  For reference, we do not need to refer to CVE-2010-0412 in our advisories since we have not updated systemtap with the incomplete fix.
Comment 27 Frank Ch. Eigler 2010-02-12 18:26:16 UTC 
The tentative additional fixes for this problem are here:

http://sourceware.org/git/?p=systemtap.git;a=commit;h=c0d1b5a00
http://sourceware.org/git/?p=systemtap.git;a=commit;h=cc9e5488d
Comment 28 Vincent Danen 2010-02-25 18:28:10 UTC 
CVE-2010-0412 has been assigned for the "incomplete fix of CVE-2009-4273".  MITRE unfortunately classified it differently:

stap-server in SystemTap 1.1 does not properly restrict the value of
the -B (aka BUILD) option, which allows attackers to have an
unspecified impact via vectors associated with executing the make
program, a different vulnerability than CVE-2009-4273.

They picked this up from Fedora commits which, unfortunately, did not indicate that this isn't a new issue, but that the fix for CVE-2009-4273 was incomplete.
Comment 29 errata-xmlrpc 2010-03-01 19:02:54 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0124 https://rhn.redhat.com/errata/RHSA-2010-0124.html