Bug 1192565 – CVE-2014-8169 autofs: priv escalation via interpreter load path for program based automount maps

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1192565 - (CVE-2014-8169) CVE-2014-8169 autofs: priv escalation via interpreter load path for program based automount maps

Summary:	CVE-2014-8169 autofs: priv escalation via interpreter load path for program b...

Status:	CLOSED ERRATA

Aliases:	CVE-2014-8169

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150302,repor...
Keywords:	Security

Depends On:	1160446 1162041 1197971
Blocks:	1192566 1193283 1210268
	Show dependency tree / graph

Reported:	2015-02-13 12:46 EST by Kurt Seifried
Modified:	2016-06-13 05:41 EDT (History)
CC List:	7 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that program-based automounter maps that used interpreted languages such as Python would use standard environment variables to locate and load modules of those languages. A local attacker could potentially use this flaw to escalate their privileges on the system.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-11-19 23:35:52 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1344	normal	SHIPPED_LIVE	Moderate: autofs security and bug fix update	2015-07-20 13:59:56 EDT
Red Hat Product Errata	RHSA-2015:2417	normal	SHIPPED_LIVE	Moderate: autofs security, bug fix and enhancement update	2015-11-19 06:23:21 EST

Groups: None (edit)

Description Kurt Seifried 2015-02-13 12:46:20 EST

The Georgia Institute of Technology reports:

When a program map uses an interpreted languages like python it's
possible to load and execute arbitray code from a user home directory.
This is because the standard environment variables are used to locate
and load modules when using these languages.

To avoid that we need to add a prefix to these environment names so
they aren't used for this purpose. The prefix used is "AUTOFS_" and
is not configurable.

Comment 3 Ian Kent 2015-02-27 01:06:24 EST

(In reply to Huzaifa S. Sidhpurwala from comment #2)
> 
> This issue affects the version of autofs as shipped with Red Hat Enterprise
> Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of
> the support and maintenance life cycle. This issue is not currently planned
> to be addressed in future updates. For additional information, refer to the
> Red Hat Enterprise Linux Life Cycle:
> https://access.redhat.com/support/policy/updates/errata/.

This is not so.
RHEL 5 is not affected by this issue.

Comment 5 Kurt Seifried 2015-03-02 14:17:24 EST

Acknowledgement:


Red Hat would like to thank the Georgia Institute of Technology for reporting this issue.

Comment 8 Huzaifa S. Sidhpurwala 2015-03-25 01:06:31 EDT

Statement:

This issue does not affect the version of autofs package as shipped with Red Hat Enterprise Linux 5.

Comment 9 errata-xmlrpc 2015-07-22 02:51:27 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1344 https://rhn.redhat.com/errata/RHSA-2015-1344.html

Comment 13 errata-xmlrpc 2015-11-19 08:00:50 EST

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2417 https://rhn.redhat.com/errata/RHSA-2015-2417.html

Note You need to log in before you can comment on or make changes to this bug.