736279 – (CVE-2011-3211) CVE-2011-3211 bcfg2 (bcfg2-server): Privilege escalation due to improper escaping of shell command data sent from client, when SSHbase plug-in enabled

Bug 736279 (CVE-2011-3211) - CVE-2011-3211 bcfg2 (bcfg2-server): Privilege escalation due to improper escaping of shell command data sent from client, when SSHbase plug-in enabled

Summary: CVE-2011-3211 bcfg2 (bcfg2-server): Privilege escalation due to improper esca...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2011-3211
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	735237 (view as bug list)
Depends On:	736281 736282
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-07 09:07 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:47 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-06-06 10:11:15 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2011-09-07 09:07:31 UTC

It was found that bcfg2 configuration management server did not properly escape shell commands data, provided by remote bcfg2 client, prior their execution, when the SSHbase plug-in was enabled. A remote attacker, able to control the client bcfg2 machine, could use this flaw to escalate their privileges (execute arbitrary code with the privileges of the user running the bcfg2 server).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640028
[2] http://www.openwall.com/lists/oss-security/2011/09/01/1
    (CVE request)
[3] http://www.openwall.com/lists/oss-security/2011/09/06/1
    (CVE assignment)

Upstream patches:
[4] https://github.com/solj/bcfg2/commit/f4a35efec1b6a1e54d61cf1b8bfc83dd1d89eef7
[5] https://github.com/solj/bcfg2/commit/46795ae451ca6ede55a0edeb726978aef4684b53

Comment 1 Jan Lieskovsky 2011-09-07 09:14:46 UTC

This issue affects the versions of the bcfg2 package, as shipped with Fedora release of 14 and 15. Please schedule an update.

This issue affects the versions of the bcfg2 package, as present within EPEL-5 and EPEL-6 repositories. Please schedule an update.

--

For bcfg2 package version, as present within EPEL-4 repository, it is not definitely clear, if this version is affected (the relevant code is slightly different in that version, so if affected, aforementioned upstream patches [4],
[5] would need to be backported to older 0.9.6 version, present in EPEL-4).

Jeffrey, for EPEL-4 could you please have a look && confirm if EPEL-4 bcfg2 version is affected by this issue or not? And if affected, could you schedule an update / rebase for EPEL-4 version too?

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 2 Jan Lieskovsky 2011-09-07 09:15:50 UTC

Created bcfg2 tracking bugs for this issue

Affects: fedora-all [bug 736281]

Comment 3 Jan Lieskovsky 2011-09-07 09:18:18 UTC

Created bcfg2 tracking bugs for this issue

Affects: epel-all [bug 736282]

Comment 4 Fabian Affolter 2011-09-07 21:46:49 UTC

*** Bug 735237 has been marked as a duplicate of this bug. ***

Comment 5 Fedora Update System 2011-10-09 21:01:01 UTC

bcfg2-1.1.3-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2011-10-09 21:02:41 UTC

bcfg2-1.1.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.