CVE-2014-3486
First published: Tue Jun 10 2014(Updated: )
Kurt Seifried of Red Hat Product Security reports: ======================================== ./lib/util/MiqSshUtilV1.rb def shell_exec(cmd, doneStr=nil, shell=@shell) if shell # Writing to a temp remote script to handle cases where the cmd string is # too long and is truncated. temp_remote_script = "/var/tmp/miq-#{Time.now.to_i}.sh" self.exec("echo \"#{cmd}\" > #{temp_remote_script}") self.exec("chmod 700 #{temp_remote_script}") out = shell.send_command(temp_remote_script) self.exec("rm -f #{temp_remote_script}") @status = out.status msg = out.stdout # Check if the first output return references the remote script and remove it. msgs = msg.split("\n") msg = msgs[1..-1].join("\n") if msgs[0].include?(temp_remote_script) raise "#{msg}" unless doneStr.nil? || msg.include?(doneStr) return msg else return self.exec(cmd, doneStr) end end ======================================== ./lib/util/MiqSshUtilV2.rb def temp_cmd_file(cmd) temp_remote_script = "/var/tmp/miq-#{Time.now.to_i}.sh" self.exec("echo \"#{cmd}\" > #{temp_remote_script}") remote_cmd = "chmod 700 #{temp_remote_script}; #{temp_remote_script}; rm -f #{temp_remote_script}" yield(remote_cmd) end ======================================== Time.now.to_i = 1412123123 setup a file and a few hundred/thousand symlinks and you can cover an hour easily. Between the self.exec("echo \"#{cmd}\" > #{temp_remote_script}") self.exec("chmod 700 #{temp_remote_script}") an attacker can replace the file, which is then executed as root. It should use Ruby Tempfile: <a href="http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/">http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Cloudforms 3.0 Management Engine | <=5.2.4 | |
| Redhat Cloudforms 3.0 Management Engine | =5.2 | |
| Redhat Cloudforms 3.0 Management Engine | =5.2.1 | |
| Redhat Cloudforms 3.0 Management Engine | =5.2.1.6 | |
| Redhat Cloudforms 3.0 Management Engine | =5.2.2 | |
| Redhat Cloudforms 3.0 Management Engine | =5.2.3 | |
| Redhat Cloudforms 3.0 Management Engine | =5.2.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-index
- agent/references
- agent/type
- agent/severity
- agent/weakness
- agent/author
- agent/description
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-3486
- vendor/redhat
- canonical/redhat cloudforms 3.0 management engine
- version/redhat cloudforms 3.0 management engine/5.2.4
- version/redhat cloudforms 3.0 management engine/5.2
- version/redhat cloudforms 3.0 management engine/5.2.1
- version/redhat cloudforms 3.0 management engine/5.2.1.6
- version/redhat cloudforms 3.0 management engine/5.2.2
- version/redhat cloudforms 3.0 management engine/5.2.3
- version/redhat cloudforms 3.0 management engine/5.2.3.2