Bug 550172 (CVE-2009-4273, CVE-2010-0412) - CVE-2009-4273 systemtap: remote code execution via stap-server
Summary: CVE-2009-4273 systemtap: remote code execution via stap-server
Alias: CVE-2009-4273, CVE-2010-0412
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 556564 556565
TreeView+ depends on / blocked
Reported: 2009-12-23 21:54 UTC by Vincent Danen
Modified: 2019-09-29 12:33 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-11-29 16:07:23 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0124 0 normal SHIPPED_LIVE Important: systemtap security update 2010-03-01 19:02:50 UTC

Description Vincent Danen 2009-12-23 21:54:37 UTC
A flaw was found in the "stap-server" network compilation server, an optional part of systemtap.  Part of the server is written in bash and does not adequately sanitize its inputs, which are essentially full command line parameter sets from a client.  Remote users may be able to abuse quoting/spacing/metacharacters to execute shell code on behalf of the compile server process/user (normally a fully unprivileged synthetic userid).

There is currently no fix available.  To work-around this issue, avoid running the stap-server program on a network with untrusted users.

[1] http://sourceware.org/PR11105

Comment 6 Vincent Danen 2010-01-15 19:36:23 UTC
This is CVE-2009-4273.

Comment 9 Fedora Update System 2010-01-16 00:31:20 UTC
systemtap-1.1-1.fc11 has been submitted as an update for Fedora 11.

Comment 10 Fedora Update System 2010-01-16 00:31:25 UTC
systemtap-1.1-1.fc12 has been submitted as an update for Fedora 12.

Comment 11 Fedora Update System 2010-01-17 02:52:50 UTC
systemtap-1.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2010-01-17 02:54:58 UTC
systemtap-1.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Vincent Danen 2010-01-22 22:44:24 UTC
systemtap 0.6.2 in EL4 does not have server functionality at all and as a result is unaffected by this issue.

Comment 16 Frank Ch. Eigler 2010-02-03 20:45:43 UTC
We have identified a few additional cases where the fix above is not sufficient.
We are working on a workaround that involves only changes to configuration files
(rather than compiled code).  Shall we handle this with a whole separate advisory
or an update to this one?

Comment 21 Vincent Danen 2010-02-04 21:47:21 UTC
Ok, but this doesn't make the CVE-2009-4273 fix incomplete, right?  Since this is not due to unsanitized input in a shell script, but rather due to an issue with the Makefile (or how make is run?).  This would probably be considered a separate flaw and would need another CVE if I'm understanding this correctly.

So I wouldn't say the original fix was incomplete, but rather that this is a separate, yet similar, issue (am I correct in assuming that if you fixed this, but _not_ this original issue, that the original issue would still exist?  Or would fixing this _also_ fix the original issue?  That distinction is probably what would decide whether this is a separate CVE or not).

Comment 22 Frank Ch. Eigler 2010-02-04 21:52:37 UTC
The 'make' invocation we are talking about is done via the chain
stap-server -> stap -> make, at the server at run time.  This is
not the 'make' of the software itself, but again, a 'make' 
invoked at run time, as a consequence of how systemtap works.

For the original issue, we secured only the first link
(stap-server -> stap) to avoid unintentional eval's.  However,
this second link (stap -> make) also exists, and make is all
too happy to eval just about anything, so we need to sanitize
its inputs too.

So yes, it is another instance of the original issue.

Comment 25 Vincent Danen 2010-02-05 16:44:15 UTC
I've assigned CVE-2010-0412 for the "incomplete fix of CVE-2009-4273".  For reference, we do not need to refer to CVE-2010-0412 in our advisories since we have not updated systemtap with the incomplete fix.

Comment 27 Frank Ch. Eigler 2010-02-12 18:26:16 UTC
The tentative additional fixes for this problem are here:


Comment 28 Vincent Danen 2010-02-25 18:28:10 UTC
CVE-2010-0412 has been assigned for the "incomplete fix of CVE-2009-4273".  MITRE unfortunately classified it differently:

stap-server in SystemTap 1.1 does not properly restrict the value of
the -B (aka BUILD) option, which allows attackers to have an
unspecified impact via vectors associated with executing the make
program, a different vulnerability than CVE-2009-4273.

They picked this up from Fedora commits which, unfortunately, did not indicate that this isn't a new issue, but that the fix for CVE-2009-4273 was incomplete.

Comment 29 errata-xmlrpc 2010-03-01 19:02:54 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0124 https://rhn.redhat.com/errata/RHSA-2010-0124.html

Note You need to log in before you can comment on or make changes to this bug.