CVE-2020-26880: [SA 2020-002] Security flaws in setuid wrappers, CVE-2020-10936 · Issue #943 · sympa-community/sympa

Just for the record, this vulnerability is (apparently) miscredited and the fix is incomplete. I reported this vulnerability in 2016. Here is the timeline of my interactions with Sympa:

29 Jan 2016 - Contacted sympa-authors and asked where to send security reports

29 Jan 2016 - David Verdin replied that the sympa-authors list was the correct destination for security reports.

29 Jan 2016 - Provided three POC attacks for the setuid wrappers to sympa-authors mailing list and the Debian security team. The first issue I reported was the vulnerability fixed here, the other two issues are still exploitable after this fix.

31 Jan 2016 - Reported an RCE flaw to pair it with to sympa-authors and the Debian security team.

8 Feb 2016 - After getting no response from sympa-authors to any of these messages so I sent a follow up to sympa-authors and the Debian security team to confirm they had received them.

8 Feb 2016 - Salvatore Bonaccorso of the Debian security team responds that they had received my prior emails emails.

9 Feb 2016 - David Verdin from Sympa responded that he had received my emails and would look into it.

9 Feb 2016 - David Verdin responded that the POC attacks on the setuid wrappers were not meaningful because they were local.

9 Feb 2016 - I responded that I had sent 3 local and 1 remote attacks. I explained that local privilege escalation attacks are indeed security issues. I provided an example of a local privilege escalation attack against mailman that was handled as a vulnerability and assigned a CVE.

10 Jun 2018 - I contacted David Verdin, the Sypa authors list, and the Debian security team again to find out what the status of these issues was.

11 Jun 2018 - David Verdun replied that Sympa did plan to fix the issues and that he was forwarding the information to Sympa’s security list.

11 Jun 2018 - After checking the code to confirm no fixes had been applied, I emailed a one line local-root POC attack to demonstrate the risk.

12 Jun 2018 - David Verdun replied that he had forwarded this additional POC to Sympa’s security list.

26 Aug 2018 - I requested assignment of CVE-2018-1000671 for an open redirect flaw reported by Hanne Moa to Sympa’s github bug tracker.

26 Aug 2018 - I emailed David Verdin, the Sympa authors list, and the Debian security team that I would continue waiting for some action from Sympa until the 3 year anniversary of my initial report (Feb 2019), then I would dump the issues in a public bug tracker and be done with it.

7 Sep 2018 - The CVE assignment led to some direct back and forth with Soji Ikeda of the Sympa project. One of my emails asked him to confirm that my message about the unresolved vulnerabilities in Sympa had been received since no reply was sent by any representative of Sympa. Soji responded stating “sympa-authors list is no longer responsible. Please send to sympa-security list where persons in charge (including me) are watching.”

16 Sep 2018 - I emailed the sympa-security list details from all of my prior reports, and several additional methods for RCE attacks against default configurations of Sympa. The new RCE methods relied on mistakes in Sympa’s security model and mistaken assumptions about the security guarantees of the modules that Sympa uses.

This led to some back and forth where I explained to Sympa that I had already directly spoken to the authors of the modules Sympa uses and the RCE attacks are problems with Sympa’s use of these modules rather than problems in the modules directly.

29 Sep 2018 - I sent Ikeda Soji and the Sympa Security list an example patch for one of the setuid wrappers. This patch demonstrated how to fix the environmental variable filtering as done in SA 2020-002. It also demonstrated how to fix the other vulnerabilities in the setuid wrappers that SA-2020-002 does not correct. This patch included detailed comments to explain why each step is required to drop privileges correctly.

There were a few follow up emails after this, arguing that the design flaws I pointed out on 16 Sep 2018 were someone else’s problem to fix and me providing additional POC payloads to demonstrate that it was impossible to fix those modules to support Sympa’s unsupported use-case.

In Feb 2019 I decided it wasn’t worth wasting more of my own time reverifying all of my prior vulnerability reports, dumping them publicly, and dealing with the fallout that releasing unauthenticated remote-root 0-days in Sympa would create.

24 May 2020 - Sympa annouced SA-2020-0002 with a fix for one of the three vulnerabilities in the setuid wrappers I reported originally in 2016 and provided a patch for in 2018. Keeping true to form, Sympa not only left the setuid wrappers with other unresolved vulnerabilities…they credited someone else for finding the one vulnerability that was fixed.

I have attempted in this timeline to avoid mentioning any specific details about unresolved vulnerabilities that could be abused by an attacker, but I’d expect anyone with a reasonable understanding of privilege dropping code can readily identify some of the other mistakes in the current implementation.