Bug 1908577 (CVE-2020-35501) - CVE-2020-35501 kernel: audit not logging access to syscall open_by_handle_at for users with CAP_DAC_READ_SEARCH capability
Summary: CVE-2020-35501 kernel: audit not logging access to syscall open_by_handle_at ...
Keywords:
Status: NEW
Alias: CVE-2020-35501
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1933649 1933650 1933651 1935474 1935475 1935476 1935477 1935478 1936258 1938167
Blocks: 1899669 1937220
TreeView+ depends on / blocked
 
Reported: 2020-12-17 04:43 UTC by Wade Mealing
Modified: 2023-09-26 14:57 UTC (History)
39 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Wade Mealing 2020-12-17 04:43:33 UTC 
A flaw was found in the kernel's audit by access permission feature which would not record open_by_handle_at syscalls.

This does not mean that a user is granted access to resources that they would not be able to.  This means that the audit log trail would not contain the log events of access.
Comment 2 Rohit Keshri 2020-12-21 10:07:38 UTC 
Acknowledgments:

Name: Felix Kosterhon (SECUINFRA GmbH)
Comment 15 Richard Guy Briggs 2021-03-05 15:21:32 UTC 
This is public:
2021-02-18 https://seclists.org/oss-sec/2021/q1/155
2021-03-02 https://listman.redhat.com/archives/linux-audit/2021-February/msg00079.html
related 2016-04-16 https://github.com/linux-audit/audit-kernel/issues/9
Comment 16 Wade Mealing 2021-03-08 00:41:51 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1936258]
Comment 19 Wade Mealing 2021-03-10 05:35:24 UTC 
Mitigation:

This syscall can still be audited by using the 'syscall auditing feature' by passing open_by_handle_at to it in the rule.  Existing auditing ruleset requirements generally use this mechanism.
Note You need to log in before you can comment on or make changes to this bug.