Bug 1705340 (CVE-2019-10143) - CVE-2019-10143 freeradius: privilege escalation due to insecure logrotate configuration
Summary: CVE-2019-10143 freeradius: privilege escalation due to insecure logrotate con...
Alias: CVE-2019-10143
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1719368 1705343 1719369
Blocks: 1705341
TreeView+ depends on / blocked
Reported: 2019-05-02 06:06 UTC by Marian Rehak
Modified: 2019-11-06 00:52 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered freeradius does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user.
Clone Of:
Last Closed: 2019-11-06 00:52:38 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3353 None None None 2019-11-05 20:40:19 UTC

Description Marian Rehak 2019-05-02 06:06:39 UTC
A reverse-shell facilitating situation due to insecure logrotate configuration leading to privilege escalation.

Comment 1 Marian Rehak 2019-05-02 06:14:12 UTC
Created freeradius tracking bugs for this issue:

Affects: fedora-all [bug 1705343]

Comment 3 Riccardo Schirone 2019-05-23 14:30:39 UTC
It is possible for the radiusd user to abuse logrotate to write files in directories normally writable only by root (or other users). freeradius uses logrotate to rotate its logs, but if the radiusd user replaces its log directory with a link to another directory, he could writes file in directories where he normally could not write, possibly leading to code execution as root.

Given the attack can be performed only from the radiusd user, Privilege Required(PR) in CVSSv3 is set to High(H).
Moreover, if SELinux is enabled it restricts the set of directories the attacker can writes to.

Comment 5 Riccardo Schirone 2019-05-23 15:14:27 UTC
Upstream patch:

Comment 7 Riccardo Schirone 2019-05-28 16:21:21 UTC

Add `su radiusd:radiusd` to all log sections in /etc/logrotate.d/radiusd.

By keeping SELinux in "Enforcing" mode, radiusd user will be limited in the directories he can write to.

Comment 8 Riccardo Schirone 2019-06-04 07:51:54 UTC

Comment 9 Riccardo Schirone 2019-06-11 15:26:32 UTC
Red Hat Enterprise Linux 5, 6, 7, and 8 are all affected as the logrotate configuration does not use `su radiusd:radiusd` to copy files as the radiusd user.

Comment 11 Riccardo Schirone 2019-06-11 15:32:41 UTC
This flaw requires an attacker to already have control of the radiusd server to perform the attack. However, an attacker who was able to execute code as the radiusd user (e.g. by exploiting a code execution flaw in the radius server) can run the attack and elevate his privileges to root.

Comment 13 errata-xmlrpc 2019-11-05 20:40:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3353 https://access.redhat.com/errata/RHSA-2019:3353

Comment 14 Product Security DevOps Team 2019-11-06 00:52:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.