REDHAT-BUG-717985
First published: Thu Jun 30 2011(Updated: )
Marco Slaviero reported a flaw in the use of python's pickle module as used in system-config-firewall that could allow local users to elevate their privileges to that of the root user. The pickle module is used to format messages between the system-config-firewall GUI and the system-config-firewall-mechanism.py privileged backend (that runs as root). The frontend and backend use D-Bus to communicate with each other, and pickle is known to permit the execution of arbitrary python code, so the untrusted user can send to the backend pickle shellcode that is executed in a privileged context. The flaw depends on a number of non-standard configurable items to be set: 1) SELinux must be disabled (with SELinux enabled, certain actions can be executed as root, but they are extremely limited) 2) The user must be local, and using a GUI Acknowledgements: Red Hat would like to thank Marco Slaviero of SensePost for reporting this issue.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat system-config-firewall |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://nadiana.com/python-pickle-insecure
- http://blog.nelhage.com/2011/03/exploiting-pickle/
- https://access.redhat.com/security/cve/CVE-2011-2520
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=717985#c10
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=717985#c11
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=511508&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=511508&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=717985#c19
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=717985#c22
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=717985#c28
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=722992
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=722991
- https://rhn.redhat.com/errata/RHSA-2011-0953.html
- https://bugzilla.redhat.com/show_bug.cgi?id=717985
Frequently Asked Questions
What is the severity of REDHAT-BUG-717985?
The severity of REDHAT-BUG-717985 is critical due to the potential for local users to escalate privileges to root.
How do I fix REDHAT-BUG-717985?
To fix REDHAT-BUG-717985, update the system-config-firewall to the latest version that addresses the vulnerability.
Who is affected by REDHAT-BUG-717985?
Local users of the Red Hat system-config-firewall are affected by REDHAT-BUG-717985.
What is the potential impact of REDHAT-BUG-717985?
The potential impact of REDHAT-BUG-717985 includes unauthorized privilege escalation to the root user.
When was REDHAT-BUG-717985 reported?
REDHAT-BUG-717985 was reported on March 31, 2011.
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-2520
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/red hat
- canonical/red hat system-config-firewall