Bug 1977090 (CVE-2021-25321) - CVE-2021-25321 arpwatch: Local privilege escalation from runtime user to root
Summary: CVE-2021-25321 arpwatch: Local privilege escalation from runtime user to root
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-25321
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1977091
Blocks: 1977092
TreeView+ depends on / blocked
 
Reported: 2021-06-28 21:20 UTC by Pedro Sampaio
Modified: 2021-06-29 20:50 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-29 16:16:26 UTC
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2021-06-28 21:20:56 UTC
/var/lib/arpwatch is packaged as root:root. Once arpwatch was run with a unprivileged user the ownership is changed to the unprivileged user

$ arpwatch -u johannes -d
$ ls -lad /var/lib/arpwatch
drwxr-xr-x 2 johannes users 4096 May 19 13:18 /var/lib/arpwatch

arpwatch-2.1a11-drop-privs.dif adds a "dropprivileges" function that does this
+               if ( chown ( arpfile, pw->pw_uid, pw->pw_gid) != 0 ||
+                       chown ( arpfiledir, pw->pw_uid, pw->pw_gid) != 0  ) {
+                       syslog(LOG_ERR, "Fatal: could not chown %s and %s to %d,%d).",
+                               arpfiledir,arpfile, pw->pw_uid, pw->pw_gid);
+                       exit(1);
+               }

which allows the user specified to escalate to root the next time arpwatch is started.

As user:
# id
uid=1000(johannes) gid=100(users) groups=100(users)
# pwd
/var/lib/arpwatch
# rm arp.dat
# ln -s /etc/shadow arp.dat

Start arpwatch again, after that /etc/shadow is owned by johannes
-rw-r----- 1 johannes users 1.3K May 17 17:08 /etc/shadow

References:

https://bugzilla.suse.com/show_bug.cgi?id=1186240

Comment 1 Pedro Sampaio 2021-06-28 21:21:17 UTC
Created arpwatch tracking bugs for this issue:

Affects: fedora-all [bug 1977091]

Comment 2 Ben Beasley 2021-06-29 01:35:19 UTC
Hi, I’m the maintainer of the arpwatch package in Fedora.

This vulnerability report appears to refer to a problem in the SUSE downstream packaging. Nothing in the vulnerability description is true about the arpwatch package in any active Fedora branch, or about the arpwatch upstream.

> /var/lib/arpwatch is packaged as root:root

In Fedora, this directory is packaged as arpwatch:arpwatch, the unprivileged user and group.

> Once arpwatch was run with a unprivileged user the ownership is changed to the unprivileged user
> […]
> arpwatch-2.1a11-drop-privs.dif adds a "dropprivileges" function that does this
> +               if ( chown ( arpfile, pw->pw_uid, pw->pw_gid) != 0 ||

This refers to a SUSE downstream patch not shared by Fedora. Fedora does also patch in a similarly-named function, but it only drops privileges. There are no calls to *chmod() or *chgrp() anywhere in arpwatch as packaged by Fedora, either before or after downstream patches are applied.

----

From a Fedora perspective, this issue should be closed as NOTABUG. I don’t appear to have permission to change the bug status, so I am setting NEEDINFO for the reporter.

Comment 3 Pedro Sampaio 2021-06-29 16:16:26 UTC
(In reply to Ben Beasley from comment #2)
> Hi, I’m the maintainer of the arpwatch package in Fedora.
> 
> This vulnerability report appears to refer to a problem in the SUSE
> downstream packaging. Nothing in the vulnerability description is true about
> the arpwatch package in any active Fedora branch, or about the arpwatch
> upstream.
> 
> > /var/lib/arpwatch is packaged as root:root
> 
> In Fedora, this directory is packaged as arpwatch:arpwatch, the unprivileged
> user and group.
> 
> > Once arpwatch was run with a unprivileged user the ownership is changed to the unprivileged user
> > […]
> > arpwatch-2.1a11-drop-privs.dif adds a "dropprivileges" function that does this
> > +               if ( chown ( arpfile, pw->pw_uid, pw->pw_gid) != 0 ||
> 
> This refers to a SUSE downstream patch not shared by Fedora. Fedora does
> also patch in a similarly-named function, but it only drops privileges.
> There are no calls to *chmod() or *chgrp() anywhere in arpwatch as packaged
> by Fedora, either before or after downstream patches are applied.
> 
> ----
> 
> From a Fedora perspective, this issue should be closed as NOTABUG. I don’t
> appear to have permission to change the bug status, so I am setting NEEDINFO
> for the reporter.

Thank you for the feedback. Closing this as NOTABUG.

Comment 4 Tomas Hoger 2021-06-29 20:50:28 UTC
The reported flaw exists in a patch that adds support for -u option, which causes arpwatch to drop privileges to the specified (non-root) user after opening network sockets.  The aim of this option it to allow running arpwatch as non-root user and reduce impact of a potential compromise.  While this privilege dropping patch has been included in Red Hat Enterprise Linux / Fedora arpwatch packages for at least 15 years (it was included when the arpwatch package was first split off from the tcpdump package in 2006), it's never been applied upstream.  The patch as used in Red Hat Enterprise Linux / Fedora arpwatch packages is:

https://src.fedoraproject.org/rpms/arpwatch/blob/f34/f/arpwatch-change-user.patch

The arpwatch packages in SUSE include similar patch, with additional functionality to change ownership of the /var/lib/arpwatch directory and the /var/lib/arpwatch/arp.dat file to be owned by the user specified via the -u option.  That is the functionality causing this CVE and allows the non-privileged user to escalate privileges to root.  SUSE patch is:

https://build.opensuse.org/package/view_file/openSUSE:Leap:15.1:Update/arpwatch/arpwatch-2.1a11-drop-privs.dif?expand=1

The Red Hat Enterprise Linux / Fedora arpwatch packages avoid the need to chown the arpwatch directory and the data file via default permission - the /var/lib/arpwatch in Red Hat Enterprise Linux 7 and later has mode 1775 and owner root:arpwatch, and in Red Hat Enterprise Linux 6, it has mode 755 and owner arpwatch:arpwatch.  The init script and systemd unit file for the arpwatch service specify '-u arpwatch' option by default.

As arpwatch is not installed as setuid root, this flaw is not really usable for local privilege escalation.  It would rather provide a way for a remote attacker able to compromise arpwatch via some other flaw to gain root privileges and not only the arpwatch user privileges.  The attack would require multiple steps:

- compromise the arpwatch service running as user arpwatch
- prepare symlinks that would cause ownership change of an attacker-chosen file
- force or wait for the arpwatch service restart to have file ownership changed
- modify target file and gain privileges

As noted above, this issue only exists in the SUSE version of the privilege dropping patch, the arpwatch packages in Red Hat Enterprise Linux and Fedora were not affected by this issue.


Note You need to log in before you can comment on or make changes to this bug.