Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23948: secure_mount: use /proc/self/mountinfo · keylime/keylime@1a4f31a

A flaw was found in Keylime before 6.3.0. The logic in the Keylime agent for checking for a secure mount can be fooled by previously created unprivileged mounts allowing secrets to be leaked to other processes on the host.

CVE

@@ -0,0 +1,81 @@ import unittest from unittest.mock import patch
from keylime import secure_mount

class TestSecureMount(unittest.TestCase):
@patch(“keylime.secure_mount.logger”) @patch(“keylime.secure_mount.open”) def test_check_mounted_not_found(self, open_mock, logger_mock): “""Test when secdir is not mounted.""” open_mock.return_value = ( "23 106 0:21 / /proc rw,nosuid,nodev,noexec,relatime shared:26 - proc proc rw", ) self.assertFalse(secure_mount.check_mounted(“/secdir”))
@patch(“keylime.secure_mount.logger”) @patch(“keylime.secure_mount.open”) def test_check_mounted_found(self, open_mock, logger_mock): “""Test when secdir is mounted.""” open_mock.return_value = ( "23 106 0:21 / /proc rw,nosuid,nodev,noexec,relatime shared:26 - proc proc rw", "303 154 0:69 / /secdir rw,relatime shared:130 - tmpfs tmpfs rw,size=1024k,mode=700,inode64", ) self.assertTrue(secure_mount.check_mounted(“/secdir”))
@patch(“keylime.secure_mount.logger”) @patch(“keylime.secure_mount.open”) def test_check_mounted_found_zero_optional_fields(self, open_mock, logger_mock): “""Test when secdir is mounted when there are no optional fields.""” open_mock.return_value = ( "23 106 0:21 / /proc rw,nosuid,nodev,noexec,relatime shared:26 - proc proc rw", "303 154 0:69 / /secdir rw,relatime - tmpfs tmpfs rw,size=1024k,mode=700,inode64", ) self.assertTrue(secure_mount.check_mounted(“/secdir”))
@patch(“keylime.secure_mount.logger”) @patch(“keylime.secure_mount.open”) def test_check_mounted_found_extra_optional_fields(self, open_mock, logger_mock): “""Test when secdir is mounted when there are extra optional fields.""” open_mock.return_value = ( "23 106 0:21 / /proc rw,nosuid,nodev,noexec,relatime shared:26 - proc proc rw", "303 154 0:69 / /secdir rw,relatime shared:130 extra:1 - tmpfs tmpfs rw,size=1024k,mode=700,inode64", ) self.assertTrue(secure_mount.check_mounted(“/secdir”))
@patch(“keylime.secure_mount.logger”) @patch(“keylime.secure_mount.open”) def test_check_mounted_found_wrong_fs(self, open_mock, logger_mock): “""Test when secdir is mounted but under a wrong fs.""” open_mock.return_value = ( "23 106 0:21 / /proc rw,nosuid,nodev,noexec,relatime shared:26 - proc proc rw", "303 154 0:69 / /secdir rw,relatime shared:130 - btrfs /dev/sda2 rw", ) with self.assertRaises(Exception) as e: secure_mount.check_mounted(“/secdir”) self.assertTrue(“wrong file system” in str(e.exception))
@patch(“keylime.secure_mount.logger”) @patch(“keylime.secure_mount.open”) def test_check_mounted_found_spaces(self, open_mock, logger_mock): “""Test when secdir is mounted and contains spaces.""” open_mock.return_value = ( "23 106 0:21 / /proc rw,nosuid,nodev,noexec,relatime shared:26 - proc proc rw", r"303 154 0:69 / /sec\040dir rw,relatime shared:130 - tmpfs tmpfs rw,size=1024k,mode=700,inode64", ) self.assertTrue(secure_mount.check_mounted(“/sec dir”))
@patch(“keylime.secure_mount.logger”) @patch(“keylime.secure_mount.open”) def test_check_mounted_wrong_format(self, open_mock, logger_mock): “""Test when the mount info lines are wrong.""” open_mock.return_value = ("invalid line",) with self.assertRaises(Exception) as e: secure_mount.check_mounted(“/secdir”) self.assertTrue(“cannot be parsed” in str(e.exception))

if __name__ == "__main__": unittest.main()

Related news

CVE-2022-23952: Multiple Security Issues (including remote code execution in the Agent component)

In Keylime before 6.3.0, current keylime installer installs the keylime.conf file, which can contain sensitive data, as world-readable.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907