/var/lib/arpwatch is packaged as root:root. Once arpwatch was run with a unprivileged user the ownership is changed to the unprivileged user $ arpwatch -u johannes -d $ ls -lad /var/lib/arpwatch drwxr-xr-x 2 johannes users 4096 May 19 13:18 /var/lib/arpwatch arpwatch-2.1a11-drop-privs.dif adds a "dropprivileges" function that does this + if ( chown ( arpfile, pw->pw_uid, pw->pw_gid) != 0 || + chown ( arpfiledir, pw->pw_uid, pw->pw_gid) != 0 ) { + syslog(LOG_ERR, "Fatal: could not chown %s and %s to %d,%d).", + arpfiledir,arpfile, pw->pw_uid, pw->pw_gid); + exit(1); + } which allows the user specified to escalate to root the next time arpwatch is started. As user: # id uid=1000(johannes) gid=100(users) groups=100(users) # pwd /var/lib/arpwatch # rm arp.dat # ln -s /etc/shadow arp.dat Start arpwatch again, after that /etc/shadow is owned by johannes -rw-r----- 1 johannes users 1.3K May 17 17:08 /etc/shadow References: https://bugzilla.suse.com/show_bug.cgi?id=1186240
Created arpwatch tracking bugs for this issue: Affects: fedora-all [bug 1977091]
Hi, I’m the maintainer of the arpwatch package in Fedora. This vulnerability report appears to refer to a problem in the SUSE downstream packaging. Nothing in the vulnerability description is true about the arpwatch package in any active Fedora branch, or about the arpwatch upstream. > /var/lib/arpwatch is packaged as root:root In Fedora, this directory is packaged as arpwatch:arpwatch, the unprivileged user and group. > Once arpwatch was run with a unprivileged user the ownership is changed to the unprivileged user > […] > arpwatch-2.1a11-drop-privs.dif adds a "dropprivileges" function that does this > + if ( chown ( arpfile, pw->pw_uid, pw->pw_gid) != 0 || This refers to a SUSE downstream patch not shared by Fedora. Fedora does also patch in a similarly-named function, but it only drops privileges. There are no calls to *chmod() or *chgrp() anywhere in arpwatch as packaged by Fedora, either before or after downstream patches are applied. ---- From a Fedora perspective, this issue should be closed as NOTABUG. I don’t appear to have permission to change the bug status, so I am setting NEEDINFO for the reporter.
(In reply to Ben Beasley from comment #2) > Hi, I’m the maintainer of the arpwatch package in Fedora. > > This vulnerability report appears to refer to a problem in the SUSE > downstream packaging. Nothing in the vulnerability description is true about > the arpwatch package in any active Fedora branch, or about the arpwatch > upstream. > > > /var/lib/arpwatch is packaged as root:root > > In Fedora, this directory is packaged as arpwatch:arpwatch, the unprivileged > user and group. > > > Once arpwatch was run with a unprivileged user the ownership is changed to the unprivileged user > > […] > > arpwatch-2.1a11-drop-privs.dif adds a "dropprivileges" function that does this > > + if ( chown ( arpfile, pw->pw_uid, pw->pw_gid) != 0 || > > This refers to a SUSE downstream patch not shared by Fedora. Fedora does > also patch in a similarly-named function, but it only drops privileges. > There are no calls to *chmod() or *chgrp() anywhere in arpwatch as packaged > by Fedora, either before or after downstream patches are applied. > > ---- > > From a Fedora perspective, this issue should be closed as NOTABUG. I don’t > appear to have permission to change the bug status, so I am setting NEEDINFO > for the reporter. Thank you for the feedback. Closing this as NOTABUG.
The reported flaw exists in a patch that adds support for -u option, which causes arpwatch to drop privileges to the specified (non-root) user after opening network sockets. The aim of this option it to allow running arpwatch as non-root user and reduce impact of a potential compromise. While this privilege dropping patch has been included in Red Hat Enterprise Linux / Fedora arpwatch packages for at least 15 years (it was included when the arpwatch package was first split off from the tcpdump package in 2006), it's never been applied upstream. The patch as used in Red Hat Enterprise Linux / Fedora arpwatch packages is: https://src.fedoraproject.org/rpms/arpwatch/blob/f34/f/arpwatch-change-user.patch The arpwatch packages in SUSE include similar patch, with additional functionality to change ownership of the /var/lib/arpwatch directory and the /var/lib/arpwatch/arp.dat file to be owned by the user specified via the -u option. That is the functionality causing this CVE and allows the non-privileged user to escalate privileges to root. SUSE patch is: https://build.opensuse.org/package/view_file/openSUSE:Leap:15.1:Update/arpwatch/arpwatch-2.1a11-drop-privs.dif?expand=1 The Red Hat Enterprise Linux / Fedora arpwatch packages avoid the need to chown the arpwatch directory and the data file via default permission - the /var/lib/arpwatch in Red Hat Enterprise Linux 7 and later has mode 1775 and owner root:arpwatch, and in Red Hat Enterprise Linux 6, it has mode 755 and owner arpwatch:arpwatch. The init script and systemd unit file for the arpwatch service specify '-u arpwatch' option by default. As arpwatch is not installed as setuid root, this flaw is not really usable for local privilege escalation. It would rather provide a way for a remote attacker able to compromise arpwatch via some other flaw to gain root privileges and not only the arpwatch user privileges. The attack would require multiple steps: - compromise the arpwatch service running as user arpwatch - prepare symlinks that would cause ownership change of an attacker-chosen file - force or wait for the arpwatch service restart to have file ownership changed - modify target file and gain privileges As noted above, this issue only exists in the SUSE version of the privilege dropping patch, the arpwatch packages in Red Hat Enterprise Linux and Fedora were not affected by this issue.