Headline
CVE-2019-10143: su to radiusd user/group when rotating logs by cipherboy · Pull Request #2666 · FreeRADIUS/freeradius-server
** DISPUTED ** It was discovered freeradius up to and including version 3.0.19 does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user. NOTE: the upstream software maintainer has stated “there is simply no way for anyone to gain privileges through this alleged issue.”
Uh… any thought that you might tell us about this? The email address
[email protected] has existed for ~20 years, and is available on the
public web page. Why did you not look there?
Sorry for not using your security email first, but the issue was already public
in our bugzilla since May 1st
(https://bugzilla.redhat.com/show_bug.cgi?id=1705143), which, I guess, led
@cipherboy to submit this PR upstream. It was not discovered by Red Hat as far
as I know. Anyway, the comment of the commit clearly explain that the impact is
privilege escalation from radius user to root and given the CVE was assigned
weeks later, after the bug was public and the patch was already acknowledged and
accepted upstream, I did not think an extra email was required.
@ret2libc " we are aware of a way to exploit this"
For "a way to exploit this", you can see the reproducer in the first comment of
https://bugzilla.redhat.com/show_bug.cgi?id=1705143, which confirms the problem
is real.
On top of that, I’m skeptical of “security” issues which require already
privileged access. If the “attacker” has access to the radiusd user, then he
can run the RADIUS server, and authenticate anyone he wants. That’s a huge
security problem, too.
As you said, the flaw has limited impact, since it requires the attacker to
already have control of the radiusd user, but it let him escalate his privileges
to root after having compromised the freeradius server. It is true that radiusd
user compromise is already not good, but we still believe that privilege
escalation from radius user to root has a security impact, which deserves a CVE.
Is it common RedHat security practice to file for a CVE, and then never tell
the authors about it?
We do have very careful security response processes in place, but I agree in
this particular instance we made a mistake and we could have handled the issue
better. We will try to work more closely with you from now on.