Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 02 Mar 2021 10:18:10 -0500
From: Steve Grubb <sgrubb@...hat.com>
To: oss-security@...ts.openwall.com, Salvatore Bonaccorso <carnil@...ian.org>
Cc: Felix Kosterhon <felix.kosterhon@...uinfra.com>
Subject: Re: Vulnerability in the Linux Audit Framework Auditd

Hello,

On Thursday, February 25, 2021 3:48:38 PM EST Salvatore Bonaccorso wrote:
> On Thu, Feb 18, 2021 at 03:52:54PM +0000, Felix Kosterhon wrote:
> > Hello Mr. Grubb,
> > 
> > thank you for your insight.
> > First and foremost we would like to clarify that our intent is not
> > to put blame on anyone but to improve the level of security for the
> > affected systems and the organisations utilising Auditd.
> > According to the rules.conf manual page, file-watch rules are meant
> > to monitor any accesses to files based on their permission level.
> > For the syscalls mentioned in this report this is not the case.
> > 
> > RedHat Inc. shares our perspective on this issue and has assigned a
> > CVE for the vulnerability. Additionally they informed us that they
> > will work together with the Upstream Linux Kernel Developers on
> > behalf of fixing this issue.
> 
> Is there a reference to this which can be followed/tracked? Asking
> because the Red Hat bugzilla entry for CVE-2020-35501 for now would
> still be restricted, but would like to get a better idea on how to
> track this issue within Debian.

Not sure who is supposed to answer this. I started an upstream audit 
discussion:

https://listman.redhat.com/archives/linux-audit/2021-February/msg00079.html

The current thinking is perhaps just document this in a man page. End users 
can always use a syscall audit rule and pick up any use. The shipped rules 
have open_by_handle_at as part of the syscalls being watched for quite some 
time. Typically people don't write their own rules, they have to meet the 
DISA STIG or CIS which prescribes the rules you need to be using. So, I don't 
know if there really is anything to do.

Maybe we can get a patch adding open_by_handle_at to the permission filter in 
the kernel. We'll just have to see how the upstream discussion unfolds.

-Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.