Bug 1362545 (CVE-2016-5425) - CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
Summary: CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-5425
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1362567 1362568 1383210
Blocks: 1362547
TreeView+ depends on / blocked
 
Reported: 2016-08-02 13:16 UTC by Adam Mariš
Modified: 2021-02-17 03:28 UTC (History)
69 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.
Clone Of:
Environment:
Last Closed: 2016-10-10 20:44:16 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2046 0 normal SHIPPED_LIVE Important: tomcat security update 2016-10-11 00:38:43 UTC

Description Adam Mariš 2016-08-02 13:16:44 UTC 
It was reported that Tomcat packages in Red Hat Enterprise Linux 7 are vulnerable to local privilege escalation from tomcat group user to root. Tomcat configuration file located at /usr/lib/tmpfiles.d/tomcat.conf can be modified by any user belonging to tomcat group. This file is used by /usr/bin/systemd-tmpfiles service to create temporary files.

As the systemd-tmpfiles service runs with root permissions, this enables the tomcat user to gain root privileges by editing the /usr/lib/tmpfiles.d/tomcat.conf file to contain a line which will cause the systemd-tmpfiles to create files within arbitrary system directory and arbitrary permissions.

External Reference:

http://legalhackers.com/advisories/Tomcat-RedHat-based-Root-Privilege-Escalation-Exploit.txt
Comment 1 Adam Mariš 2016-08-02 13:17:37 UTC 
Acknowledgments:

Name: Dawid Golunski (http://legalhackers.com)
Comment 9 Adam Mariš 2016-10-10 08:14:44 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1383210]
Comment 10 Adam Mariš 2016-10-10 08:15:40 UTC 
Public via:

http://seclists.org/oss-sec/2016/q4/78
Comment 11 Steven Haigh 2016-10-10 09:19:53 UTC 
Out of interest, would SELinux policy prevent the tomcat user from writing to this file anyway?
Comment 12 Michal Schmidt 2016-10-10 09:38:56 UTC 
I'm afraid it won't. Query the SELinux policy:

$ sesearch --allow -s tomcat_t -t lib_t -c file -p write
Found 1 semantic av rules:
   allow files_unconfined_type file_type : file { [...] write [...] } ;

It appears tomcat_t has the files_unconfined_type attribute, which means the SELinux policy puts very little restrictions on it.
Comment 13 errata-xmlrpc 2016-10-10 20:41:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html
Note You need to log in before you can comment on or make changes to this bug.