Bug 1224103 (CVE-2015-3202) - CVE-2015-3202 fuse: incorrect filtering of environment variables leading to privilege escalation
Summary: CVE-2015-3202 fuse: incorrect filtering of environment variables leading to p...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-3202
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1224104 1224105 1224108
Blocks: 1224110
TreeView+ depends on / blocked
 
Reported: 2015-05-22 08:32 UTC by Martin Prpič
Modified: 2019-09-29 13:33 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that fusermount failed to properly sanitize its environment before executing mount and umount commands. A local user could possibly use this flaw to escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2015-08-22 23:11:47 UTC


Attachments (Terms of Use)
CVE-2015-3202.patch (1.75 KB, text/plain)
2015-05-22 08:33 UTC, Martin Prpič
no flags Details

Description Martin Prpič 2015-05-22 08:32:27 UTC
It was foudn that FUSE, a Filesystem in USErspace, did not properly sanitize environment variables before executing a mount or umount operation with elevated privileges. A local attacker could use this flaw to overwrite arbitrary files on the system or escalate their privileges.

Additional details:

http://seclists.org/oss-sec/2015/q2/520

Patch proposed on distros is attached.

Comment 1 Martin Prpič 2015-05-22 08:33:13 UTC
Created attachment 1028606 [details]
CVE-2015-3202.patch

Comment 2 Martin Prpič 2015-05-22 08:33:54 UTC
Created ntfs-3g tracking bugs for this issue:

Affects: fedora-all [bug 1224105]
Affects: epel-all [bug 1224108]

Comment 3 Martin Prpič 2015-05-22 08:33:56 UTC
Created fuse tracking bugs for this issue:

Affects: fedora-all [bug 1224104]

Comment 4 Tomas Hoger 2015-05-25 20:12:05 UTC
Upstream commit:
http://sourceforge.net/p/fuse/fuse/ci/fe2d96/

On affected systems, this issue would allow local users to escalate their privileges to root, and hence would be rated as Important impact issue.

Red Hat Enterprise Linux is not affected by the published attack.

On Red Hat Enterprise Linux 7, /etc/mtab is not a regular file but a symlink to /proc/self/mtab.  That prevents fusermount from running mount and umount (see mtab_needs_update() function).  Even though mount and umount in Red Hat Enterprise Linux 7 use libmount that supports reading LIBMOUNT_MTAB environment variable, they are not run by fusermount.  Similar applies to current Fedora versions.

On Red Hat Enterprise Linux 5 and 6, /etc/mtab is regular file and hence fusermount runs mount and umount commands.  However, mount and umount in Red Hat Enterprise Linux 6 and earlier do not use libmount (on Red Hat Enterprise Linux 6, libmount is part of the util-linux-ng packages, but not used by mount and umount commands; on Red Hat Enterprise Linux 5, the util-linux packages do not contain libmount library).

Red Hat Enterprise Linux 7 Hypervisor contains the libguestfs-winsupport packages, which includes ntfs-3g.  However, ntfs-3g is not installed as setuid root and hence there is no privilege escalation risk.

Comment 10 Fedora Update System 2015-06-01 17:01:47 UTC
ntfs-3g-2015.3.14-2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-06-05 23:54:21 UTC
ntfs-3g-2015.3.14-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2015-06-07 15:59:27 UTC
fuse-2.9.4-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2015-06-09 15:08:17 UTC
fuse-2.9.4-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2015-06-10 19:18:13 UTC
ntfs-3g-2015.3.14-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2015-06-11 18:45:18 UTC
ntfs-3g-2015.3.14-2.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2015-06-13 06:34:31 UTC
fuse-2.9.4-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2015-06-13 06:37:15 UTC
ntfs-3g-2015.3.14-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Vincent Danen 2015-08-22 23:11:36 UTC
See comment #4 for more details on how this affects Red Hat Enterprise Linux 7.

Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.