Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 20 Jan 2020 15:50:28 +0100
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: CVE-2019-18899: apt-cacher-ng: openSUSE packaging for apt-cacher-ng
 runs the daemon as root instead of as an unprivileged user

Hi,

apt-cacher-ng is a caching proxy for downloading packages from
Debian-style software repositories [1]. In the course of a code review
of apt-cacher-ng I noticed a mismatch between upstream configuration and
the configuration used in the openSUSE packaging.

While the upstream configuration expects the daemon to run as the
apt-cacher-ng unprivileged user, the openSUSE packaging ships a
diverging systemd service unit configuration, causing the apt-cacher-ng
daemon to be running as the root user. Apart from a generally increased
attack surface by not lowering privileges this causes the following
security issue:

Although the openSUSE packaging for apt-cacher-ng doesn't employ the
unprivileged apt-cacher-ng user, it still creates it in the system. The
directory /run/apt-cacher-ng is created for the apt-cacher-ng user via
a systemd-tmpfiles configuration file from the upstream sources. This
results in the apt-cacher-ng daemon running as root, which handles files
in /run/apt-cacher-ng which is owned by the apt-cacher-ng user. The
daemon correctly assumes that this directory is safe to handle without
precautions, but this assumption is broken by the bad packaging.

Therefore a compromised apt-cacher-ng user account can perform symlink
attacks in /run/apt-cacher-ng to cause writes to privileged file system
locations by root, once the apt-cacher-ng service is (re)started.
Furthermore the socket path /run/apt-cacher-ng/socket can be replaced by
an attacker owned socket, thereby allowing him to hijack privileged
client connections to apt-cacher-ng. Additional unexplored security
issues could be possible.

An update for the broken packaging will be supplied for openSUSE Leap
15.1. Furthermore, since there is no active maintainer for the package
in openSUSE, the apt-cacher-ng package is removed from the
openSUSE:Factory project and thus from the openSUSE Tumbleweed rolling
release distribution in the future.

[1]: https://wiki.debian.org/AptCacherNg

Cheers

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Felix Imendörffer

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.