1192565 – (CVE-2014-8169) CVE-2014-8169 autofs: priv escalation via interpreter load path for program based automount maps

Bug 1192565 (CVE-2014-8169) - CVE-2014-8169 autofs: priv escalation via interpreter load path for program based automount maps

Summary: CVE-2014-8169 autofs: priv escalation via interpreter load path for program b...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-8169
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1160446 1162041 1197971
Blocks:	1192566 1193283 1210268
TreeView+	depends on / blocked

Reported:	2015-02-13 17:46 UTC by Kurt Seifried
Modified:	2023-05-12 21:03 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that program-based automounter maps that used interpreted languages such as Python would use standard environment variables to locate and load modules of those languages. A local attacker could potentially use this flaw to escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:	2015-11-20 04:35:52 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1344	0	normal	SHIPPED_LIVE	Moderate: autofs security and bug fix update	2015-07-20 17:59:56 UTC
Red Hat Product Errata	RHSA-2015:2417	0	normal	SHIPPED_LIVE	Moderate: autofs security, bug fix and enhancement update	2015-11-19 11:23:21 UTC

Description Kurt Seifried 2015-02-13 17:46:20 UTC

The Georgia Institute of Technology reports:

When a program map uses an interpreted languages like python it's
possible to load and execute arbitray code from a user home directory.
This is because the standard environment variables are used to locate
and load modules when using these languages.

To avoid that we need to add a prefix to these environment names so
they aren't used for this purpose. The prefix used is "AUTOFS_" and
is not configurable.

Comment 3 Ian Kent 2015-02-27 06:06:24 UTC

(In reply to Huzaifa S. Sidhpurwala from comment #2)
> 
> This issue affects the version of autofs as shipped with Red Hat Enterprise
> Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of
> the support and maintenance life cycle. This issue is not currently planned
> to be addressed in future updates. For additional information, refer to the
> Red Hat Enterprise Linux Life Cycle:
> https://access.redhat.com/support/policy/updates/errata/.

This is not so.
RHEL 5 is not affected by this issue.

Comment 5 Kurt Seifried 2015-03-02 19:17:24 UTC

Acknowledgement:


Red Hat would like to thank the Georgia Institute of Technology for reporting this issue.

Comment 8 Huzaifa S. Sidhpurwala 2015-03-25 05:06:31 UTC

Statement:

This issue does not affect the version of autofs package as shipped with Red Hat Enterprise Linux 5.

Comment 9 errata-xmlrpc 2015-07-22 06:51:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1344 https://rhn.redhat.com/errata/RHSA-2015-1344.html

Comment 13 errata-xmlrpc 2015-11-19 13:00:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2417 https://rhn.redhat.com/errata/RHSA-2015-2417.html

Note You need to log in before you can comment on or make changes to this bug.