Bug 1346461 (CVE-2016-4989) - CVE-2016-4989 setroubleshoot: command injection issues
Summary: CVE-2016-4989 setroubleshoot: command injection issues
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-4989
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1339375 1339377 1346462 1346463 1348526
Blocks: 1332645
TreeView+ depends on / blocked
 
Reported: 2016-06-14 21:41 UTC by Tomas Hoger
Modified: 2019-09-29 13:51 UTC (History)
6 users (show)

Fixed In Version: setroubleshoot 3.2.27.1, setroubleshoot 3.3.9.1
Doc Type: If docs needed, set a value
Doc Text:
Shell command injection flaws were found in the way the setroubleshoot executed external commands. A local attacker able to trigger certain SELinux denials could use these flaws to execute arbitrary code with root privileges.
Clone Of:
Environment:
Last Closed: 2016-06-23 10:55:56 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1267 normal SHIPPED_LIVE Important: setroubleshoot and setroubleshoot-plugins security update 2016-06-22 01:24:18 UTC
Red Hat Product Errata RHSA-2016:1293 normal SHIPPED_LIVE Important: setroubleshoot and setroubleshoot-plugins security update 2016-06-23 12:52:54 UTC

Description Tomas Hoger 2016-06-14 21:41:39 UTC
It was discovered that setroubleshoot executed external commands using subprocess.check_output(), commands.getstatusoutput(), or commands.getoutput() without properly sanitizing untrusted inputs used as command arguments.  These inputs originated from SELinux AVC messages.  A local user could use this flaw to execute arbitrary code as root if they could trigger an SELinux denial using a file with a specially crafted name.

The following cases were identified:

- _set_tpath() in audit_data.py - When executing locate command, it used subprocess.check_output() (new setroubleshoot versions) or commands.getstatusoutput() (older versions) to execute command using shell.  A local user could use this flaw to execute commands with setroubleshootd privileges.

- run_fix() in SetroubleshootFixit.py - This DBus service requires administrative authentication by default.  There are currently no known attacks that can be used by non-administrative users.

Comment 1 Tomas Hoger 2016-06-14 21:41:45 UTC
Acknowledgments:

Name: Red Hat Product Security

Comment 3 Tomas Hoger 2016-06-14 21:43:59 UTC
Note that this issue was independently reported by Sebastian Krahmer (SuSE Security Team).

Comment 4 Tomas Hoger 2016-06-14 21:45:30 UTC
The impact of this issue on Red Hat Enterprise Linux 7.2 and later is reduced, as setroubleshootd does not run with root privileges, but with privileges of a dedicated non-root user setroubleshoot.

The SetroubleshootFixit service runs with root privileges but, as noted in comment 0, there are currently no known attacks against the service.

Comment 5 Tomas Hoger 2016-06-14 21:47:05 UTC
Note that this issue was originally handled as part of the CVE-2016-4445 (bug 1339183), but was later split out because of different fixed-in versions.

Comment 7 Tomas Hoger 2016-06-21 11:28:03 UTC
Public now via:

http://seclists.org/oss-sec/2016/q2/574

Sebastian Krahmer's exploit:

https://github.com/stealth/troubleshooter/blob/master/straight-shooter.c

Comment 8 Tomas Hoger 2016-06-21 11:44:41 UTC
Created setroubleshoot tracking bugs for this issue:

Affects: fedora-all [bug 1348526]

Comment 10 errata-xmlrpc 2016-06-21 21:25:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1267 https://access.redhat.com/errata/RHSA-2016:1267

Comment 11 errata-xmlrpc 2016-06-23 08:53:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1293 https://access.redhat.com/errata/RHSA-2016:1293


Note You need to log in before you can comment on or make changes to this bug.