Bug 1346461 (CVE-2016-4989) - CVE-2016-4989 setroubleshoot: command injection issues
Summary: CVE-2016-4989 setroubleshoot: command injection issues
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-4989
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1339375 1339377 1346462 1346463 1348526
Blocks: 1332645
TreeView+ depends on / blocked
 
Reported: 2016-06-14 21:41 UTC by Tomas Hoger
Modified: 2021-02-17 03:43 UTC (History)
6 users (show)

Fixed In Version: setroubleshoot 3.2.27.1, setroubleshoot 3.3.9.1
Doc Type: If docs needed, set a value
Doc Text:
Shell command injection flaws were found in the way the setroubleshoot executed external commands. A local attacker able to trigger certain SELinux denials could use these flaws to execute arbitrary code with root privileges.
Clone Of:
Environment:
Last Closed: 2016-06-23 10:55:56 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1267 0 normal SHIPPED_LIVE Important: setroubleshoot and setroubleshoot-plugins security update 2016-06-22 01:24:18 UTC
Red Hat Product Errata RHSA-2016:1293 0 normal SHIPPED_LIVE Important: setroubleshoot and setroubleshoot-plugins security update 2016-06-23 12:52:54 UTC

Description Tomas Hoger 2016-06-14 21:41:39 UTC 
It was discovered that setroubleshoot executed external commands using subprocess.check_output(), commands.getstatusoutput(), or commands.getoutput() without properly sanitizing untrusted inputs used as command arguments.  These inputs originated from SELinux AVC messages.  A local user could use this flaw to execute arbitrary code as root if they could trigger an SELinux denial using a file with a specially crafted name.

The following cases were identified:

- _set_tpath() in audit_data.py - When executing locate command, it used subprocess.check_output() (new setroubleshoot versions) or commands.getstatusoutput() (older versions) to execute command using shell.  A local user could use this flaw to execute commands with setroubleshootd privileges.

- run_fix() in SetroubleshootFixit.py - This DBus service requires administrative authentication by default.  There are currently no known attacks that can be used by non-administrative users.
Comment 1 Tomas Hoger 2016-06-14 21:41:45 UTC 
Acknowledgments:

Name: Red Hat Product Security
Comment 3 Tomas Hoger 2016-06-14 21:43:59 UTC 
Note that this issue was independently reported by Sebastian Krahmer (SuSE Security Team).
Comment 4 Tomas Hoger 2016-06-14 21:45:30 UTC 
The impact of this issue on Red Hat Enterprise Linux 7.2 and later is reduced, as setroubleshootd does not run with root privileges, but with privileges of a dedicated non-root user setroubleshoot.

The SetroubleshootFixit service runs with root privileges but, as noted in comment 0, there are currently no known attacks against the service.
Comment 5 Tomas Hoger 2016-06-14 21:47:05 UTC 
Note that this issue was originally handled as part of the CVE-2016-4445 (bug 1339183), but was later split out because of different fixed-in versions.
Comment 7 Tomas Hoger 2016-06-21 11:28:03 UTC 
Public now via:

http://seclists.org/oss-sec/2016/q2/574

Sebastian Krahmer's exploit:

https://github.com/stealth/troubleshooter/blob/master/straight-shooter.c
Comment 8 Tomas Hoger 2016-06-21 11:44:41 UTC 
Created setroubleshoot tracking bugs for this issue:

Affects: fedora-all [bug 1348526]
Comment 9 Tomas Hoger 2016-06-21 20:51:23 UTC 
Upstream commits:

https://github.com/fedora-selinux/setroubleshoot/commit/e69378d7e82a503534d29c5939fa219341e8f2ad
https://github.com/fedora-selinux/setroubleshoot/commit/dda55aa50db95a25f0d919c3a0d5871827cdc40f
Comment 10 errata-xmlrpc 2016-06-21 21:25:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1267 https://access.redhat.com/errata/RHSA-2016:1267
Comment 11 errata-xmlrpc 2016-06-23 08:53:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1293 https://access.redhat.com/errata/RHSA-2016:1293
Note You need to log in before you can comment on or make changes to this bug.