Bug 737338 (CVE-2011-3364)

Summary: CVE-2011-3364 NetworkManager: Console user can escalate to root via newlines in ifcfg-rh connection name
Product: [Other] Security Response Reporter: Matt McCutchen <matt>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dcbw, jlieskov, rkhan, rvokal, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-15 16:50:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 740315, 740316, 741418    
Bug Blocks: 737364    
Attachments:
Description Flags
Removing newline characters while writing to ifcfg file
none
[RHEL6, F14] Removing newline characters while writing to ifcfg file
none
[RHEL6, F14] Removing newline characters while writing to ifcfg file
none
[F15 and up] Removing newline characters while writing to ifcfg file none

Description Matt McCutchen 2011-09-11 08:13:02 UTC
Description of problem:
Between F14 and F15, NetworkManager was changed so that unprivileged console users can store both personal and system connections via the ifcfg-rh plugin.  As a result, bug 682290 now constitutes a vulnerability allowing such users to escalate to root.  To avoid calling attention to this, I am filing a separate bug rather than updating bug 682290.

Version-Release number of selected component (if applicable):
NetworkManager-0.9.0-1.fc15

How reproducible:
Always

Steps to Reproduce (as an unprivileged console user):
1. Create a wired connection named `test'.
2. Change the name to `test\nUSERCTL=true\n/bin/bash', where `\n' stands for
a newline entered via Ctrl-Shift-U, A.
3. usernetctl test up

Actual results:
Root shell.

Expected results:
Format integrity of /etc/sysconfig/network-scripts/ifcfg-test is maintained.

Comment 2 Jirka Klimes 2011-09-14 15:51:48 UTC
Connection ID's are basically not restricted and they can contain virtually any character (including non-printable, control, etc.). That's not problem per se.
However, when the ID is used is some places some characters can cause problems.

In this case, when NAME variable (connection's ID) is written to ifcfg file, some characters are escaped with \ in shvar.c (escapees[] = "\"'\\$~`"). This prevents undesired behaviour in shell, because ifcfg files can be shell-interpreted by means of initscripts.

a) The easiest solution would be just dropping newline characters when writing to ifcfg file. See attached patch doing that.

b) If we wanted to preserve the newline characters (and/or other control characters), we have to change svEscape()/svUnescape() to proper transfer 
LF <-> "\n", CR <-> "\r", etc. But, I think non-pritable characters in connection names don't bring any user value and "\n" may cause some problems too in ifcfg files.

Comment 3 Jirka Klimes 2011-09-14 15:53:04 UTC
Created attachment 523188 [details]
Removing newline characters while writing to ifcfg file

Comment 4 Jirka Klimes 2011-09-14 16:11:47 UTC
One suggestion:
I've noticed that shvar.[h|c] used in NM for handling ifcfg files are used by some other packages: usermode, initscripts. And maybe others. It looks like the code comes from ancient rp3 (RedHat PPP dialer).

It would be useful to separate the code to an independent library, so that everyone could use it and don't have to duplicate the code. Or at least put the code to a repository as source routines (like gnulib), so that changes are done in one place and everybody can get the latest version from it (maybe mark initscripts copy as that).

Comment 5 Bill Nottingham 2011-09-14 17:49:11 UTC
It's historically a copy-paste library, mostly due to laziness.

Comment 6 Dan Williams 2011-09-14 19:41:41 UTC
(In reply to comment #3)
> Created attachment 523188 [details]
> Removing newline characters while writing to ifcfg file

Looks good, lets push this into RHEL packages for the security update Z stream.  After the embargo lifts we can push upstream and to Fedora.

Comment 7 Matt McCutchen 2011-09-15 03:21:55 UTC
(In reply to comment #6)
> Looks good, lets push this into RHEL packages for the security update Z stream.
>  After the embargo lifts we can push upstream and to Fedora.

And let the Fedora systems get hacked?  Thanks a lot.  That will make me give you private notice of issues in the future.

I thought RHEL is listed as "notaffected" anyway?

Comment 8 Jan Lieskovsky 2011-09-16 12:21:24 UTC
The CVE identifier of CVE-2011-3364 has been assigned to this issue.

Comment 9 Jan Lieskovsky 2011-09-16 13:04:38 UTC
(In reply to comment #7)

Hello Matt,

  thank you for responsibly reporting this issue to us.

  To be able to move with this one towards its correction and public announcement we would need privately (in encrypted way) to contact and inform other Linux distributions, shipping NetworkManager package too, about presence of this flaw.

  Though it is not likely other distributions would use the ifcfg-rh plug-in, which is required this issue to be exploitable. But it is likely, their NetworkManager versions might be affected by improper escaping of certain characters too. Thus we would like to ask you for an approval to privately (in encrypted way) inform other distributions about presence of this issue. Please let us know, if we can do this.

  Due the embargo date -- we have preliminary set it up to next Wednesday, 2011-09-21. If there would be no embargo date changes necessary (due various reasons, since this depends on many conditions), on next Wednesday this bug would be opened for public audience and affected Fedora NetworManager package updates scheduled.

  Should there be embargo date change required yet, we would inform you again via this bug.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: Please let us know if it's OK from your side us to inform other distributions about presence of this issue privately. Thank you again, Jan.

> (In reply to comment #6)
> > Looks good, lets push this into RHEL packages for the security update Z stream.
> >  After the embargo lifts we can push upstream and to Fedora.
> 
> And let the Fedora systems get hacked?  Thanks a lot.  That will make me give
> you private notice of issues in the future.
> 
> I thought RHEL is listed as "notaffected" anyway?

Comment 10 Tomas Hoger 2011-09-16 13:47:18 UTC
(In reply to comment #7)
> > Looks good, lets push this into RHEL packages for the security update Z
> > stream. After the embargo lifts we can push upstream and to Fedora.
> 
> And let the Fedora systems get hacked?  Thanks a lot.

Matt, just clear up some confusion - Fedora has its dist-git and koji public, there's no mechanism to do private commits / builds.  Hence when the fix is committed to dist-git (or upstream VCS), we consider the issue public.  The aim here was to have everything ready, so when this is made public, fixes are followed shortly.

Comment 11 Matt McCutchen 2011-09-16 23:27:25 UTC
(In reply to comment #9)
> Thus we would like to ask you for an approval to privately (in
> encrypted way) inform other distributions about presence of this issue. Please
> let us know, if we can do this.

Yes, by all means please inform other distributions.

(In reply to comment #10)
> Matt, just clear up some confusion - Fedora has its dist-git and koji public,
> there's no mechanism to do private commits / builds.  Hence when the fix is
> committed to dist-git (or upstream VCS), we consider the issue public.  The aim
> here was to have everything ready, so when this is made public, fixes are
> followed shortly.

Understood.  Thanks for your work on this.

Comment 13 Jirka Klimes 2011-09-20 14:00:29 UTC
Created attachment 524039 [details]
[RHEL6, F14] Removing newline characters while writing to ifcfg file

Patch fixing the issue for RHEL 6 and Fedora 14 (they use NetworkManager 0.8.x).
The patch is the same as the one in comment #3 (for NM 0.9.x = F15 and above) except shvar.c is at different path.

Comment 14 Jan Lieskovsky 2011-09-20 14:49:13 UTC
This issue did NOT affect the versions of the NetworkManager package, as shipped with Red Hat Enterprise Linux 4 and 5 as those versions did not include support for modification (write) of configuration from NetworkManager to the standard /etc/sysconfig/network-scripts/ifcfg-* files yet.

--

This issue did NOT affect the version of the NetworkManager package, as shipped with Red Hat Enterprise Linux 6 in the default configuration, since due the polkit settings privileged user account is required to change connections. Though the level of privileges required to be able to change connection settings is a configurable feature and in certain configurations of NetworkManager on Red Hat Enterprise Linux 6 this issue may be exploitable too.

--

This issue affects the versions of the NetworkManager package, as shipped with Fedora release of 14 and 15.

Comment 15 Jan Lieskovsky 2011-09-20 14:52:26 UTC
Hello Matt,

(In reply to comment #11)
> (In reply to comment #9)
> > Thus we would like to ask you for an approval to privately (in
> > encrypted way) inform other distributions about presence of this issue. Please
> > let us know, if we can do this.
> 
> Yes, by all means please inform other distributions.

Thank you for the approval. Unfortunately due the internal procedures related with dealing with this we will not be able to meet the originally proposed embargo date, thus tomorrow. Wanted to check with you, if it would be possible to postpone / move the embargo date in that way, so this flaw would be publicly disclosed on next Monday, 2011-09-26 12:00 UTC. 

Please let us know, if this would be possible to postpone yet (so we could propagate the agreement to other vendors too) and thank you for your understanding.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 16 Jan Lieskovsky 2011-09-20 15:04:18 UTC
Matt,

  and yet one query. Please let us know the official form of your name (and possibly company name if desired) you would like to be credited for the discovery and responsibly reporting this issue to us in our advisory?

Thanks again, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 17 Matt McCutchen 2011-09-20 16:24:12 UTC
(In reply to comment #15)
> Wanted to check with you, if it would be possible
> to postpone / move the embargo date in that way, so this flaw would be publicly
> disclosed on next Monday, 2011-09-26 12:00 UTC. 

That is fine with me.  I am so glad to see prompt and comprehensive action on the bug.

(In reply to comment #16)
> Please let us know the official form of your name (and
> possibly company name if desired) you would like to be credited for the
> discovery and responsibly reporting this issue to us in our advisory?

"Matt McCutchen" with no company affiliation, please.

Comment 18 Matt McCutchen 2011-09-20 17:00:54 UTC
A post mortem question: I'd think that the release of F15 with the default configuration affected should have been avoidable, given that I filed bug 682290 back when F15 was in alpha.  Ideally I might have recognized the problem in F15 myself, but I was focused on other things than testing F15 at that point and did not foresee ifcfg-rh being opened to unprivileged users (I still think it is a audacious design).  Was the team responsible for the F15 changes aware of bug 682290?  Is there something I could have done differently, short of reviewing every F(n+1) in enough depth to notice a change like the expanded use of ifcfg-rh?

Comment 21 Jirka Klimes 2011-09-23 08:36:34 UTC
Created attachment 524560 [details]
[RHEL6, F14] Removing newline characters while writing to ifcfg file

Removing newline characters when writing ifcfg files - for NM 0.8.x

Comment 22 Jirka Klimes 2011-09-23 08:48:59 UTC
Created attachment 524563 [details]
[F15 and up] Removing newline characters while writing to ifcfg file

Removing newline characters when writing to ifcfg files - for NM 0.9.x

Comment 23 Jirka Klimes 2011-09-23 10:14:33 UTC
Patches in comments #21 and #22 fix and replace the previous ones.
(The newlines filtering was not done when name didn't contain spaces or characters for escaping).

Comment 24 Vincent Danen 2011-09-26 18:35:41 UTC
Acknowledgements:

Red Hat would like to thank Matt McCutchen for reporting this issue.

Comment 25 Vincent Danen 2011-09-26 18:37:34 UTC
Created NetworkManager tracking bugs for this issue

Affects: fedora-all [bug 741418]

Comment 26 Vincent Danen 2011-09-26 18:42:15 UTC
Statement:

Not vulnerable.  This issue did not affect the versions of NetworkManager as shipped with Red Hat Enterprise Linux 4 or 5 as they did not include support for writing NetworkManager configurations to the standard /etc/sysconfig/network-scripts/ifcfg-* files.

Comment 27 errata-xmlrpc 2011-09-26 18:52:55 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1338 https://rhn.redhat.com/errata/RHSA-2011-1338.html

Comment 28 Fedora Update System 2011-10-08 18:02:29 UTC
NetworkManager-0.8.5.92-1.git20110927.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.