Bug 729465 - (CVE-2011-1831, CVE-2011-1832, CVE-2011-1834, CVE-2011-1835, CVE-2011-1837) CVE-2011-1831 CVE-2011-1832 CVE-2011-1834 CVE-2011-1835 CVE-2011-1837 ecryptfs: multiple flaws to mount/umount arbitrary locations and possibly disclose confidential information
CVE-2011-1831 CVE-2011-1832 CVE-2011-1834 CVE-2011-1835 CVE-2011-1837 ecryptf...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110809,reported=20110801,sou...
: Security
Depends On: 729470 729471 729472 729473 729474
Blocks: 729476
  Show dependency treegraph
 
Reported: 2011-08-09 16:15 EDT by Vincent Danen
Modified: 2015-11-24 09:40 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-03 04:30:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch to correct CVE-2011-1831, CVE-2011-1832, and CVE-2011-1834 (4.89 KB, patch)
2011-08-09 16:23 EDT, Vincent Danen
no flags Details | Diff
patch to correct CVE-2011-1833 (875 bytes, patch)
2011-08-09 16:23 EDT, Vincent Danen
no flags Details | Diff
patch to correct CVE-2011-1835 (976 bytes, patch)
2011-08-09 16:24 EDT, Vincent Danen
no flags Details | Diff
patch to correct CVE-2011-1836 (1.09 KB, patch)
2011-08-09 16:24 EDT, Vincent Danen
no flags Details | Diff
patch to correct CVE-2011-1837 (1.47 KB, patch)
2011-08-09 16:25 EDT, Vincent Danen
no flags Details | Diff
patch to correct the flaws in RHEL6 (ecryptfs-utils-82) (9.71 KB, patch)
2011-08-09 17:40 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Vincent Danen 2011-08-09 16:15:24 EDT
A number of flaws were reported [1] in eCryptfs that could allow a user to mount or unmount arbitrary locations, and possibly disclose confidential information:

Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested mountpoint. A local attacker could use this flaw to mount to arbitrary locations, leading to privilege escalation. (CVE-2011-1831)

Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested mountpoint. A local attacker could use this flaw to unmount to arbitrary locations, leading to a denial of service. (CVE-2011-1832)

Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested source directory. A local attacker could use this flaw to mount an arbitrary directory, possibly leading to information disclosure. Note that this flaw also requires a fix in the kernel to be complete. (CVE-2011-1833)

Dan Rosenberg and Marc Deslauriers discovered that eCryptfs incorrectly handled modifications to the mtab file when an error occurs. A local attacker could use this flaw to corrupt the mtab file, and possibly unmount arbitrary locations, leading to a denial of service. (CVE-2011-1834)

Marc Deslauriers discovered that eCryptfs incorrectly handled keys when setting up an encrypted private directory. A local attacker could use this flaw to manipulate keys during creation of a new user. (CVE-2011-1835)

Marc Deslauriers discovered that eCryptfs incorrectly handled permissions during recovery. A local attacker could use this flaw to possibly access another user's data during the recovery process. (CVE-2011-1836)

Vasiliy Kulikov of Openwall discovered that eCryptfs incorrectly handled lock counters. A local attacker could use this flaw to possibly overwrite arbitrary files. (CVE-2011-1837)

[1] https://launchpad.net/bugs/732628
Comment 1 Vincent Danen 2011-08-09 16:23:15 EDT
Created attachment 517480 [details]
patch to correct CVE-2011-1831, CVE-2011-1832, and CVE-2011-1834
Comment 2 Vincent Danen 2011-08-09 16:23:50 EDT
Created attachment 517481 [details]
patch to correct CVE-2011-1833
Comment 3 Vincent Danen 2011-08-09 16:24:09 EDT
Created attachment 517482 [details]
patch to correct CVE-2011-1835
Comment 4 Vincent Danen 2011-08-09 16:24:28 EDT
Created attachment 517483 [details]
patch to correct CVE-2011-1836
Comment 5 Vincent Danen 2011-08-09 16:25:20 EDT
Created attachment 517484 [details]
patch to correct CVE-2011-1837

These five patches came from Ubuntu: https://launchpad.net/ubuntu/+source/ecryptfs-utils/89-0ubuntu2
Comment 7 Vincent Danen 2011-08-09 16:26:53 EDT
Created ecryptfs-utils tracking bugs for this issue

Affects: fedora-all [bug 729474]
Comment 8 Vincent Danen 2011-08-09 17:03:22 EDT
CVE-2011-1836 only affects Fedora; ecryptfs-recover-private does not exist in ecryptfs-utils-82 (which is what is shipped with Red Hat Enterprise Linux 6).
Comment 9 Vincent Danen 2011-08-09 17:40:28 EDT
Created attachment 517492 [details]
patch to correct the flaws in RHEL6 (ecryptfs-utils-82)

The other individual patches are suitable for Fedora, this patch is extracted from https://launchpad.net/ubuntu/+source/ecryptfs-utils/83-0ubuntu3.2.10.04.1 and is suitable for RHEL6.  It needs some tweaking on RHEL5 (fuzz and one rejected hunk).
Comment 20 Vincent Danen 2011-08-10 14:00:29 EDT
Upstream kernel commit to fully fix CVE-2011-1833:

http://git.kernel.org/?p=linux/kernel/git/ecryptfs/ecryptfs-2.6.git;a=commit;h=764355487ea220fdc2faf128d577d7f679b91f97
Comment 21 Tomas Hoger 2011-08-16 08:12:03 EDT
CVE-2011-1836 was moved to separate bug #730964, as it only affect recent ecryptfs-utils versions in Fedora.
Comment 25 Vincent Danen 2011-08-19 12:17:25 EDT
Acknowledgements CVE-2011-1831,CVE-2011-1832:

Red Hat would like to thank the Ubuntu Security Team for reporting these issues. The Ubuntu Security Team acknowledges Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters.

Acknowledgements CVE-2011-1834:

Red Hat would like to thank the Ubuntu Security Team for reporting this issue. The Ubuntu Security Team acknowledges Dan Rosenberg and Marc Deslauriers as the original reporters.

Acknowledgements CVE-2011-1835:

Red Hat would like to thank the Ubuntu Security Team for reporting this issue. The Ubuntu Security Team acknowledges Marc Deslauriers as the original reporter.

Acknowledgements CVE-2011-1837:

Red Hat would like to thank the Ubuntu Security Team for reporting this issue. The Ubuntu Security Team acknowledges Vasiliy Kulikov of Openwall as the original reporter.
Comment 30 errata-xmlrpc 2011-08-31 15:41:03 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1241 https://rhn.redhat.com/errata/RHSA-2011-1241.html

Note You need to log in before you can comment on or make changes to this bug.