Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 16 Aug 2016 15:38:02 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com
Subject: firewalld: Firewall configuration can be modified by any logged in
 user

Hi All,

FirewallD provides dbus api for modification of configuration after user
has been authenticated via polkit. This does not apply for 5 methods
which can be called by any logged user using dbus api or firewall-cmd
cli interface. Any predefined policy can be used, server or desktop.

list of concerned dbus methods in firewalld.py
addPassthrough
removePassthrough
addEntry
removeEntry
setEntries

Any locally logged in user, could use the above firewalld commands to
tamper or change the firewall settings.

This flaw was introduced via the following commit:
https://github.com/t-woerner/firewalld/commit/6b9867cd5c5e2c83adeec42666521a420e59ef11

It affects all firewalld versions since 0.3.12

We have assigned CVE-2016-5410 to this flaw and this issue was
previously disclosed via the linux-distros mailing list.


A proposed patch is enclosed with this email.

--- a/src/firewall/server/firewalld.py
+++ a/src/firewall/server/firewalld.py
@@ -61,8 +61,8 @@ class FirewallD(slip.dbus.service.Object):

     persistent = True
     """ Make FirewallD persistent. """
-    default_polkit_auth_required = config.dbus.PK_ACTION_INFO
-    """ Use config.dbus.PK_ACTION_INFO as a default """
+    default_polkit_auth_required = config.dbus.PK_ACTION_CONFIG
+    """ Use config.dbus.PK_ACTION_CONFIG as a default """

     @handle_exceptions
     def __init__(self, *args, **kwargs):
@@ -2128,6 +2128,7 @@ class FirewallD(slip.dbus.service.Object):

     # DIRECT PASSTHROUGH (tracked)

+    @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT)
     @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT,
in_signature='sas',
                          out_signature='')
     @dbus_handle_exceptions
@@ -2141,6 +2142,7 @@ class FirewallD(slip.dbus.service.Object):
         self.fw.direct.add_passthrough(ipv, args)
         self.PassthroughAdded(ipv, args)

+    @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT)
     @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT,
in_signature='sas',
                          out_signature='')
     @dbus_handle_exceptions
@@ -2256,6 +2258,7 @@ class FirewallD(slip.dbus.service.Object):

     # set entries # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # #

+    @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG)
     @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET,
in_signature='ss',
                          out_signature='')
     @dbus_handle_exceptions
@@ -2268,6 +2271,7 @@ class FirewallD(slip.dbus.service.Object):
         self.fw.ipset.add_entry(ipset, entry)
         self.EntryAdded(ipset, entry)

+    @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG)
     @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET,
in_signature='ss',
                          out_signature='')
     @dbus_handle_exceptions
@@ -2301,7 +2305,7 @@ class FirewallD(slip.dbus.service.Object):
         log.debug1("ipset.getEntries('%s')" % ipset)
         return self.fw.ipset.get_entries(ipset)

-    @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO)
+    @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG)
     @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET,
in_signature='sas')
     @dbus_handle_exceptions
     def setEntries(self, ipset, entries, sender=None): # pylint:
disable=W0613



-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ