libuser vulnerabilities (CVE-2015-3245 and CVE-2015-3246)

Red Hat Product Security has been made aware of two security vulnerabilities in the userhelper utility (part of the usermode package) and the libuser library. Authenticated, local users with shell access could use one of these vulnerabilities to achieve local privilege escalation to the root user. These flaws have been assigned CVE-2015-3245 and CVE-2015-3246. The second vulnerability has been rated as having an Important impact. Red Hat would like to thank Qualys for reporting these issues.

Background Information

The libuser library implements a standardized interface for manipulating and administering user and group accounts. The userhelper program, which is included in the usermode package, provides a basic non-interactive interface for changing a user's password, the GECOS field, and shell.

Impact

See the following two sections for descriptions of the two related vulnerabilities.

Race condition in password file update (CVE-2015-3246, Important)

A flaw was found in the way the libuser library handled the /etc/passwd file. Even though traditional programs like passwd, chfn, and chsh work on a temporary copy of /etc/passwd and eventually use the rename() function to rename the temporary copy, libuser modified /etc/passwd directly. Unfortunately, if anything went wrong during these modifications, libuser may have left /etc/passwd in an inconsistent state.

This behavior could result in a local denial-of-service attack, or authenticated local users could use this vulnerability to escalate their privileges to the root user.

See the table below for links to security advisories that address this issue.

Lack of validation of GECOS field contents (CVE-2015-3245, Moderate)

It was found that the chfn function of the userhelper utility did not properly filter out newline characters. The chfn function implemented by the userhelper utility verified that the fields it was given on the command line were valid (that is, contain no forbidden characters). Unfortunately, these forbidden characters (:,=) did not include the \n character and allowed local attackers to inject newline characters into the /etc/passwd file and alter this file in unexpected ways.

A local attacker could use this flaw to corrupt the /etc/passwd file, which could result in a denial-of-service attack on the system.

Note: This issue, while initially attributed to the usermode package, is being fixed with an update to libuser because libuser had to be changed to address the CVE-2015-3246 vulnerability anyway.

Security Advisories

All versions of the libuser library included with Red Hat Enterprise Linux 6 and 7 are affected by these flaws. See the table below for links to respective security advisories that fix this issue:

Product Advisory
Red Hat Enterprise Linux 6 RHSA-2015:1482
Red Hat Enterprise Linux 7 RHSA-2015:1483

 
This issue also affects Red Hat Enterprise Linux 5, which is now in Production 3 Phase of the support and maintenance life cycle. Therefore, the issue is not currently planned to be addressed in future updates on Red Hat Enterprise Linux 5. For additional information, refer to the Red Hat Enterprise Linux Life Cycle.

Atomic Host & Containers

All Red Hat released official container images include a vulnerable version of the libuser library. Concerned users can use these containers' built-in yum functionality to update to fixed versions (see 'Resolution' below). This resolves the vulnerability. Updated builds of these containers reflecting these updates will be released soon.

Atomic Host includes a vulnerable version of the libuser library. It is possible to update any containers hosted by Atomic to fixed versions of these packages using their built-in yum functionality. It is not possible to exploit Atomic host from within a container using these issues. The next cumulative update will include fixes for Atomic Host.

Cloud Images and Appliances

All Red Hat released official cloud and appliance images include a vulnerable version of the libuser library. Concerned users can use these containers' built-in yum functionality to update to fixed versions (see 'Resolution' below). This resolves the vulnerability. Updated respins of these containers reflecting these updates will be released soon.

Amazon Web Services

Red Hat Enterprise Linux Amazon Machine Instances includes a vulnerable version of the libuser library. It is possible to update any systems to fixed versions of these packages using their built-in yum functionality (see 'Resolution' below).

RHEV-H images

The Red Hat Enterprise Virtualization Hypervisor appliance images include a vulnerable version of the libuser library. These images should only be used to host virtual machines and should not have untrusted local users.

It is not possible to attack RHEV-H hosts from within a virtual machine by exploiting these issues. A future update of the RHEV-H image will address this vulnerability.

Resolution

To eliminate the possibility of exploitation, install the updated libuser packages that have been made available through the advisories listed in the above table.

To install the updates, use the yum package manager as follows:

yum update

To only update the libuser package and its dependencies, use:

yum update libuser

Mitigation

Due to the way libuser works, only users who have accounts already listed in /etc/passwd can exploit these vulnerabilities, and the user needs to supply the account password as part of the attack. These requirements mean that exploitation by accounts listed only in LDAP (or some other NSS data source), or by system accounts without a valid password is not possible.

On systems where updating libuser is not possible, system administrators can add pam_warn and pam_deny rules to the two files, /etc/pam.d/chfn and /etc/pam.d/chsh, to prevent non-root users from using the vulnerable services. With these edits, the files should contain:

#%PAM-1.0
auth       sufficient   pam_rootok.so
auth required pam_warn.so
auth required pam_deny.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

Afterwards, attempts by unprivileged users to use chfn and chsh (and the respective functionality in the userhelper program) will fail, and will be logged (by default in /var/log/secure).

Comments