ABRT vulnerabilities CVE-2015-1862 and CVE-2015-3315

A number of issues have been disclosed on 14 April 2015 that affect ABRT, including CVE-2015-1862 and CVE-2015-3315. CVE-2015-1862 does not affect the versions of ABRT as shipped in any Red Hat products, and further information can be found in Bug 1211223. The flaws reported in CVE-2015-3315 are described in Bug 1211835 and affect Red Hat Enterprise Linux 6 and 7.

Background Information

A flaw was found in the way certain ABRT core handlers processed crash reports in a namespaced environment. A local, unprivileged user could use this flaw to escalate their privileges on the system. This issue has a CVE ID of CVE-2015-1862 and does not affect versions of ABRT shipped in Red Hat products.

A number of race conditions related to the use of symbolic links and the setting of permissions on created files were found in the way ABRT deals with log files and information consumed from the proc filesystem. These issues have been grouped in CVE-2015-3315, and a public exploit exists that allows local privilege escalation to root on default Red Hat Enterprise Linux 7 installations.

Impact

ABRT (Automatic Bug-Reporting Tool) is a non-essential system service that increases serviceability by automatically collecting information about crashes in userspace processes and optionally reporting them to Red Hat. It is included and enabled by default in some Red Hat products.

Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5

Red Hat Enterprise Linux 4 and 5 do not include ABRT, and as such they are not vulnerable to these issues.

Red Hat Enterprise Linux 6

The abrt package in Red Hat Enterprise Linux 6 is vulnerable to some of the issues but only allows privilege escalation from the local system user "abrt", so this flaw is considered to have a Moderate impact. The local system user "abrt" is not used for interactive login sessions and is shipped as a disabled user by default.

Red Hat Enterprise Linux 7

The abrt package in Red Hat Enterprise Linux 7 is vulnerable to some of the issues and allows local privilege escalation to root. This issue is rated Important and an update is in progress.

Resolution

An update is in progress for Red Hat Enterprise Linux 7. To eliminate the possibility of exploitation, install an updated ABRT package on your system as soon as it is available.

An update for Red Hat Enterprise Linux 6 is not a priority at the moment, as the issue is considered to only have a Moderate impact on that version.

Mitigation Steps

ABRT is not an essential system service, and corefile collection can be safely disabled by the administrator until the updates are deployed. The commands below stop and disable the service until it is next enabled and started explicitly by the administrator.

Red Hat Enterprise Linux 6:
# service abrt-ccpp stop
# service abrtd stop
# chkconfig abrt-ccpp off
# chkconfig abrtd off
Red Hat Enterprise Linux 7:
# systemctl stop abrt-ccpp
# systemctl stop abrtd
# systemctl disable abrt-ccpp
# systemctl disable abrtd

On Red Hat Enterprise Linux 7, it is also recommended to deinstall the abrt-dbus package with this command:

# yum remove abrt-dbus

Additional Information

Public disclosure in the OSS Security mailing list

Comments