libuser vulnerabilities (CVE-2015-3245 and CVE-2015-3246)
Red Hat Product Security has been made aware of two security vulnerabilities in the userhelper
utility (part of the usermode
package) and the libuser
library. Authenticated, local users with shell access could use one of these vulnerabilities to achieve local privilege escalation to the root user. These flaws have been assigned CVE-2015-3245 and CVE-2015-3246. The second vulnerability has been rated as having an Important impact. Red Hat would like to thank Qualys for reporting these issues.
Background Information
The libuser
library implements a standardized interface for manipulating and administering user and group accounts. The userhelper
program, which is included in the usermode
package, provides a basic non-interactive interface for changing a user's password, the GECOS field, and shell.
Impact
See the following two sections for descriptions of the two related vulnerabilities.
Race condition in password file update (CVE-2015-3246, Important)
A flaw was found in the way the libuser
library handled the /etc/passwd
file. Even though traditional programs like passwd
, chfn
, and chsh
work on a temporary copy of /etc/passwd
and eventually use the rename()
function to rename the temporary copy, libuser
modified /etc/passwd
directly. Unfortunately, if anything went wrong during these modifications, libuser
may have left /etc/passwd
in an inconsistent state.
This behavior could result in a local denial-of-service attack, or authenticated local users could use this vulnerability to escalate their privileges to the root user.
See the table below for links to security advisories that address this issue.
Lack of validation of GECOS field contents (CVE-2015-3245, Moderate)
It was found that the chfn
function of the userhelper
utility did not properly filter out newline characters. The chfn
function implemented by the userhelper
utility verified that the fields it was given on the command line were valid (that is, contain no forbidden characters). Unfortunately, these forbidden characters (:,=
) did not include the \n
character and allowed local attackers to inject newline characters into the /etc/passwd
file and alter this file in unexpected ways.
A local attacker could use this flaw to corrupt the /etc/passwd
file, which could result in a denial-of-service attack on the system.
Note: This issue, while initially attributed to the usermode
package, is being fixed with an update to libuser
because libuser
had to be changed to address the CVE-2015-3246 vulnerability anyway.
Security Advisories
All versions of the libuser
library included with Red Hat Enterprise Linux 6 and 7 are affected by these flaws. See the table below for links to respective security advisories that fix this issue:
Product | Advisory |
---|---|
Red Hat Enterprise Linux 6 | RHSA-2015:1482 |
Red Hat Enterprise Linux 7 | RHSA-2015:1483 |
This issue also affects Red Hat Enterprise Linux 5, which is now in Production 3 Phase of the support and maintenance life cycle. Therefore, the issue is not currently planned to be addressed in future updates on Red Hat Enterprise Linux 5. For additional information, refer to the Red Hat Enterprise Linux Life Cycle.
Atomic Host & Containers
All Red Hat released official container images include a vulnerable version of the libuser
library. Concerned users can use these containers' built-in yum functionality to update to fixed versions (see 'Resolution' below). This resolves the vulnerability. Updated builds of these containers reflecting these updates will be released soon.
Atomic Host includes a vulnerable version of the libuser
library. It is possible to update any containers hosted by Atomic to fixed versions of these packages using their built-in yum functionality. It is not possible to exploit Atomic host from within a container using these issues. The next cumulative update will include fixes for Atomic Host.
Cloud Images and Appliances
All Red Hat released official cloud and appliance images include a vulnerable version of the libuser
library. Concerned users can use these containers' built-in yum functionality to update to fixed versions (see 'Resolution' below). This resolves the vulnerability. Updated respins of these containers reflecting these updates will be released soon.
Amazon Web Services
Red Hat Enterprise Linux Amazon Machine Instances includes a vulnerable version of the libuser
library. It is possible to update any systems to fixed versions of these packages using their built-in yum functionality (see 'Resolution' below).
RHEV-H images
The Red Hat Enterprise Virtualization Hypervisor appliance images include a vulnerable version of the libuser
library. These images should only be used to host virtual machines and should not have untrusted local users.
It is not possible to attack RHEV-H hosts from within a virtual machine by exploiting these issues. A future update of the RHEV-H image will address this vulnerability.
Resolution
To eliminate the possibility of exploitation, install the updated libuser
packages that have been made available through the advisories listed in the above table.
To install the updates, use the yum package manager as follows:
yum update
To only update the libuser
package and its dependencies, use:
yum update libuser
Mitigation
Due to the way libuser
works, only users who have accounts already listed in /etc/passwd
can exploit these vulnerabilities, and the user needs to supply the account password as part of the attack. These requirements mean that exploitation by accounts listed only in LDAP (or some other NSS data source), or by system accounts without a valid password is not possible.
On systems where updating libuser
is not possible, system administrators can add pam_warn
and pam_deny
rules to the two files, /etc/pam.d/chfn
and /etc/pam.d/chsh
, to prevent non-root users from using the vulnerable services. With these edits, the files should contain:
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_warn.so
auth required pam_deny.so
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
Afterwards, attempts by unprivileged users to use chfn
and chsh
(and the respective functionality in the userhelper
program) will fail, and will be logged (by default in /var/log/secure
).
Comments