Bug 736279 (CVE-2011-3211)

Summary: CVE-2011-3211 bcfg2 (bcfg2-server): Privilege escalation due to improper escaping of shell command data sent from client, when SSHbase plug-in enabled
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jeff, rcvalle, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-06 10:11:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 736281, 736282    
Bug Blocks:    

Description Jan Lieskovsky 2011-09-07 09:07:31 UTC 
It was found that bcfg2 configuration management server did not properly escape shell commands data, provided by remote bcfg2 client, prior their execution, when the SSHbase plug-in was enabled. A remote attacker, able to control the client bcfg2 machine, could use this flaw to escalate their privileges (execute arbitrary code with the privileges of the user running the bcfg2 server).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640028
[2] http://www.openwall.com/lists/oss-security/2011/09/01/1
    (CVE request)
[3] http://www.openwall.com/lists/oss-security/2011/09/06/1
    (CVE assignment)

Upstream patches:
[4] https://github.com/solj/bcfg2/commit/f4a35efec1b6a1e54d61cf1b8bfc83dd1d89eef7
[5] https://github.com/solj/bcfg2/commit/46795ae451ca6ede55a0edeb726978aef4684b53
Comment 1 Jan Lieskovsky 2011-09-07 09:14:46 UTC 
This issue affects the versions of the bcfg2 package, as shipped with Fedora release of 14 and 15. Please schedule an update.

This issue affects the versions of the bcfg2 package, as present within EPEL-5 and EPEL-6 repositories. Please schedule an update.

--

For bcfg2 package version, as present within EPEL-4 repository, it is not definitely clear, if this version is affected (the relevant code is slightly different in that version, so if affected, aforementioned upstream patches [4],
[5] would need to be backported to older 0.9.6 version, present in EPEL-4).

Jeffrey, for EPEL-4 could you please have a look && confirm if EPEL-4 bcfg2 version is affected by this issue or not? And if affected, could you schedule an update / rebase for EPEL-4 version too?

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 2 Jan Lieskovsky 2011-09-07 09:15:50 UTC 
Created bcfg2 tracking bugs for this issue

Affects: fedora-all [bug 736281]
Comment 3 Jan Lieskovsky 2011-09-07 09:18:18 UTC 
Created bcfg2 tracking bugs for this issue

Affects: epel-all [bug 736282]
Comment 4 Fabian Affolter 2011-09-07 21:46:49 UTC 
*** Bug 735237 has been marked as a duplicate of this bug. ***
Comment 5 Fedora Update System 2011-10-09 21:01:01 UTC 
bcfg2-1.1.3-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2011-10-09 21:02:41 UTC 
bcfg2-1.1.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.