A privilege escalation flaw was found on Amanda 3.5.1 that can take backup user to root privileges. The vulnerable component is the runtar SUID that is just a wrapper to run /usr/bin/tar with specific arguments that are controllable by the attacker. The program does not check correctly the args passed to tar binary (it assumes that all args should be like this --ARG VALUE but we can provide this --ARG=VALUE as one argument). https://github.com/MaherAzzouzi/CVE-2022-37705 https://github.com/zmanda/amanda/issues/192 https://marc.info/?l=amanda-hackers&m=167437716918603&w=2
Created amanda tracking bugs for this issue: Affects: fedora-all [bug 2168797]
/usr/lib64/amanda/runtar is not executable by users, and so Fedora is not vulnerable to this unless for some reason the user is in group disk. In which case they can just write to all of the disks in the system directly.
(In reply to Jason Tibbitts from comment #3) > /usr/lib64/amanda/runtar is not executable by users, and so Fedora is not > vulnerable to this unless for some reason the user is in group disk. In > which case they can just write to all of the disks in the system directly. This is a pertinent observation, and applies to RHEL as well. OTOH, obtaining a shell makes an exploit much easier. Also, maybe one could somehow trick amandad to pass wrong arguments to runtar itself, which would make the bug exploitable even without gaining access to the disk group. (runtar is executed from sendsize and sendbackup.)
Upstream PR & commit: https://github.com/zmanda/amanda/pull/196 https://github.com/zmanda/amanda/commit/497410c7555376795f324e5bd2cbed7742219099
In reply to comment #3: > /usr/lib64/amanda/runtar is not executable by users, and so Fedora is not > vulnerable to this unless for some reason the user is in group disk. In > which case they can just write to all of the disks in the system directly. To back this up: el8 ~ $ dnf install amanda-client el8 ~ $ ls -l /usr/lib64/amanda/runtar -rwsr-x---. 1 root disk 17208 Aug 12 2018 /usr/lib64/amanda/runtar