Date: Mon, 11 Sep 2017 14:22:12 -0600 From: "kseifried@...hat.com" <kseifried@...hat.com> To: oss-security@...ts.openwall.com, Michael Orlitzky <michael@...itzky.com> Cc: Daniel Kahn Gillmor <dkg@...thhorseman.net> Subject: Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation On 2017-09-11 01:58 PM, Michael Orlitzky wrote: > On 09/07/2017 12:22 PM, Daniel Kahn Gillmor wrote: > It's just me as far as I know. I stumbled onto this by accident while > cleaning up an OpenRC init script that was shipped as part of an > upstream package. I updated it, and then noticed that my init script was > vulnerable to the PID file trick. Then I realized that everybody else > has the same problem. > > You probably need a human to make the final decision on whether or not > an init script is vulnerable, but my lame heuristic so far has been > hilariously accurate: does the init script mess with file/directory > ownership? If so, it's probably vulnerable to *something*. Another note on init scripts and related, rpm and dpkg postinstall/preinstall/etc, as a rule if it does anything with: chmod chown chgrp touch head tail cat "/etc/pki/" "/tmp/" "/dev/random" "/dev/urandom" cert commands from openssl, gnutls or nss a pile of other things (you start to get the idea) There is a semi good chance either something is going wrong security wise, or it should be part of first run (e.g. things that generate a certificate or a key, if you do that in the install/postinstall scripts all your containers have the same secret, if you do it on first run (typically as part of the app itself, or part of the init scripts) then it's unique per instance. Some examples: CVE-2016-4980 CVE-2016-4982 CVE-2016-4983 CVE-2016-4984 -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ