Bugzilla – Bug 992772
VUL-0: CVE-2016-5410: firewalld: too lax polkit rules
Last modified: 2018-08-28 11:51:07 UTC
FirewallD provides dbus api for modification of configuration after user has been authenticated via polkit. This does not apply for 5 methods which can be called by any logged user using dbus api or firewall-cmd cli interface. Any predefined policy can be used, server or desktop. list of concerned dbus methods in firewalld.py addPassthrough removePassthrough addEntry removeEntry setEntries Any locally logged in user, could use the above firewalld commands to tamper or change the firewall settings. This flaw was introduced via the following commit: https://github.com/t-woerner/firewalld/commit/6b9867cd5c5e2c83adeec42666521a420e59ef11 It affects all firewalld versions since 0.3.12 We have assigned CVE-2016-5410 to this flaw. A proposed patch is enclosed with this email. Proposed un-embargo date is 16-Aug-2016 10:00 UTC Regards, Huzaifa Sidhpurwala / Red Hat Product Security Team.
(sorry, the patch was inline by mail) --- a/src/firewall/server/firewalld.py +++ a/src/firewall/server/firewalld.py @@ -61,8 +61,8 @@ class FirewallD(slip.dbus.service.Object): persistent = True """ Make FirewallD persistent. """ - default_polkit_auth_required = config.dbus.PK_ACTION_INFO - """ Use config.dbus.PK_ACTION_INFO as a default """ + default_polkit_auth_required = config.dbus.PK_ACTION_CONFIG + """ Use config.dbus.PK_ACTION_CONFIG as a default """ @handle_exceptions def __init__(self, *args, **kwargs): @@ -2128,6 +2128,7 @@ class FirewallD(slip.dbus.service.Object): # DIRECT PASSTHROUGH (tracked) + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sas', out_signature='') @dbus_handle_exceptions @@ -2141,6 +2142,7 @@ class FirewallD(slip.dbus.service.Object): self.fw.direct.add_passthrough(ipv, args) self.PassthroughAdded(ipv, args) + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sas', out_signature='') @dbus_handle_exceptions @@ -2256,6 +2258,7 @@ class FirewallD(slip.dbus.service.Object): # set entries # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='ss', out_signature='') @dbus_handle_exceptions @@ -2268,6 +2271,7 @@ class FirewallD(slip.dbus.service.Object): self.fw.ipset.add_entry(ipset, entry) self.EntryAdded(ipset, entry) + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='ss', out_signature='') @dbus_handle_exceptions @@ -2301,7 +2305,7 @@ class FirewallD(slip.dbus.service.Object): log.debug1("ipset.getEntries('%s')" % ipset) return self.fw.ipset.get_entries(ipset) - @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='sas') @dbus_handle_exceptions def setEntries(self, ipset, entries, sender=None): # pylint: disable=W0613
As the bug is embargoed, no public submits/references until Aug 16th. Since the bug is not very severe, we could just wait until embargo is over to see whether upstream accepted the patch proposal as is.
public now you can now submit fixes.
Hi All, FirewallD provides dbus api for modification of configuration after user has been authenticated via polkit. This does not apply for 5 methods which can be called by any logged user using dbus api or firewall-cmd cli interface. Any predefined policy can be used, server or desktop. list of concerned dbus methods in firewalld.py addPassthrough removePassthrough addEntry removeEntry setEntries Any locally logged in user, could use the above firewalld commands to tamper or change the firewall settings. This flaw was introduced via the following commit: https://github.com/t-woerner/firewalld/commit/6b9867cd5c5e2c83adeec42666521a420e59ef11 It affects all firewalld versions since 0.3.12 We have assigned CVE-2016-5410 to this flaw and this issue was previously disclosed via the linux-distros mailing list. A proposed patch is enclosed with this email. -- Huzaifa Sidhpurwala / Red Hat Product Security Team (patch was attached earlier)
This is an autogenerated message for OBS integration: This bug (992772) was mentioned in https://build.opensuse.org/request/show/419853 42.2 / firewalld
The new version has been accepted in the devel project and forwarded in Factory and Leap 42.2. As a result, I am marking this bug as resolved.
This is an autogenerated message for OBS integration: This bug (992772) was mentioned in https://build.opensuse.org/request/show/629070 Factory / firewalld
This is an autogenerated message for OBS integration: This bug (992772) was mentioned in https://build.opensuse.org/request/show/631960 Factory / firewalld