Bug 1705340 (CVE-2019-10143) - CVE-2019-10143 freeradius: privilege escalation due to insecure logrotate configuration
Summary: CVE-2019-10143 freeradius: privilege escalation due to insecure logrotate con...
Status: NEW
Alias: CVE-2019-10143
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190501,repor...
Keywords: Security
Depends On: 1705343 1719368 1719369
Blocks: 1705341
TreeView+ depends on / blocked
 
Reported: 2019-05-02 06:06 UTC by Marian Rehak
Modified: 2019-06-11 15:33 UTC (History)
8 users (show)

(edit)
It was discovered freeradius does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2019-05-02 06:06:39 UTC
A reverse-shell facilitating situation due to insecure logrotate configuration leading to privilege escalation.

Comment 1 Marian Rehak 2019-05-02 06:14:12 UTC
Created freeradius tracking bugs for this issue:

Affects: fedora-all [bug 1705343]

Comment 3 Riccardo Schirone 2019-05-23 14:30:39 UTC
It is possible for the radiusd user to abuse logrotate to write files in directories normally writable only by root (or other users). freeradius uses logrotate to rotate its logs, but if the radiusd user replaces its log directory with a link to another directory, he could writes file in directories where he normally could not write, possibly leading to code execution as root.

Given the attack can be performed only from the radiusd user, Privilege Required(PR) in CVSSv3 is set to High(H).
Moreover, if SELinux is enabled it restricts the set of directories the attacker can writes to.

Comment 5 Riccardo Schirone 2019-05-23 15:14:27 UTC
Upstream patch:
https://github.com/FreeRADIUS/freeradius-server/pull/2666

Comment 7 Riccardo Schirone 2019-05-28 16:21:21 UTC
Mitigation:

Add `su radiusd:radiusd` to all log sections in /etc/logrotate.d/radiusd.

By keeping SELinux in "Enforcing" mode, radiusd user will be limited in the directories he can write to.

Comment 8 Riccardo Schirone 2019-06-04 07:51:54 UTC
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1705143

Comment 9 Riccardo Schirone 2019-06-11 15:26:32 UTC
Red Hat Enterprise Linux 5, 6, 7, and 8 are all affected as the logrotate configuration does not use `su radiusd:radiusd` to copy files as the radiusd user.

Comment 11 Riccardo Schirone 2019-06-11 15:32:41 UTC
This flaw requires an attacker to already have control of the radiusd server to perform the attack. However, an attacker who was able to execute code as the radiusd user (e.g. by exploiting a code execution flaw in the radius server) can run the attack and elevate his privileges to root.


Note You need to log in before you can comment on or make changes to this bug.