Bug 1107528 – CVE-2014-3486 CFME: SSH Utility insecure tmp file creation leading to code execution as root

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1107528 - (CVE-2014-3486) CVE-2014-3486 CFME: SSH Utility insecure tmp file creation leading to code execution as root

Summary:	CVE-2014-3486 CFME: SSH Utility insecure tmp file creation leading to code ex...

Status:	CLOSED ERRATA

Aliases:	CVE-2014-3486

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20140630,repo...
Keywords:	Security

Depends On:	1107532 1107533
Blocks:	1086525 1107530
	Show dependency tree / graph

Reported:	2014-06-10 02:59 EDT by Kurt Seifried
Modified:	2014-08-25 09:58 EDT (History)
CC List:	14 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-06-30 19:23:18 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:0816	normal	SHIPPED_LIVE	Important: cfme security, bug fix, and enhancement update	2014-06-30 18:59:47 EDT

Groups: None (edit)

Description Kurt Seifried 2014-06-10 02:59:18 EDT

Kurt Seifried of Red Hat Product Security reports:

========================================
./lib/util/MiqSshUtilV1.rb
  def shell_exec(cmd, doneStr=nil, shell=@shell)
    if shell
      # Writing to a temp remote script to handle cases where the cmd string is
      #   too long and is truncated.
      temp_remote_script = "/var/tmp/miq-#{Time.now.to_i}.sh"
      self.exec("echo \"#{cmd}\" > #{temp_remote_script}")
      self.exec("chmod 700 #{temp_remote_script}")
      out = shell.send_command(temp_remote_script)
      self.exec("rm -f #{temp_remote_script}")
      @status = out.status
      msg = out.stdout

      # Check if the first output return references the remote script and remove it.
      msgs = msg.split("\n")
      msg = msgs[1..-1].join("\n") if msgs[0].include?(temp_remote_script)

      raise "#{msg}" unless doneStr.nil? || msg.include?(doneStr)
      return msg
    else
      return self.exec(cmd, doneStr)
    end
  end
========================================
./lib/util/MiqSshUtilV2.rb
  def temp_cmd_file(cmd)
    temp_remote_script = "/var/tmp/miq-#{Time.now.to_i}.sh"
    self.exec("echo \"#{cmd}\" > #{temp_remote_script}")
    remote_cmd = "chmod 700 #{temp_remote_script}; #{temp_remote_script}; rm -f #{temp_remote_script}"
    yield(remote_cmd)
  end
========================================
Time.now.to_i = 1412123123
setup a file and a few hundred/thousand symlinks and you can cover an hour easily. 

Between the

self.exec("echo \"#{cmd}\" > #{temp_remote_script}")
self.exec("chmod 700 #{temp_remote_script}")

an attacker can replace the file, which is then executed as root.

It should use Ruby Tempfile:
http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

Comment 2 Vincent Danen 2014-06-24 15:52:40 EDT

Acknowledgements:

This issue was discovered by Kurt Seifried of Red Hat Product Security.

Comment 3 errata-xmlrpc 2014-06-30 15:03:25 EDT

This issue has been addressed in following products:

  CloudForms Management Engine 5.x

Via RHSA-2014:0816 https://rhn.redhat.com/errata/RHSA-2014-0816.html

Note You need to log in before you can comment on or make changes to this bug.