Bugzilla – Bug 1148788
VUL-0: CVE-2019-3687: permissions: easy profile allows everyone execute dumpcap and read all network traffic
Last modified: 2023-04-06 09:34:50 UTC
The 'easy' profile specifies some file capabilities for /usr/bin/dumpcap and a 0755 mode, allowing any user on a system with wireshark installed to read all network traffic. (The 'secure' profile correctly has 0750 mode to limit execution to members of the 'wireshark' group, and the 'paranoid' profile doesn't specify any capabilities for the file.) (While the permissions package also has the same definitions in Leap/SLE, this only affects Tumbleweed since the wireshark package in those codestreams doesn't create the 'wireshark' group or call chkstat on the dumpcap binary.)
This is an autogenerated message for OBS integration: This bug (1148788) was mentioned in https://build.opensuse.org/request/show/727267 Factory / permissions
I noticed this a while ago and assumed it was a feature...
SUSE-SU-2020:0547-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1148788,1160594,1160764,1161779,1163922 CVE References: CVE-2019-3687,CVE-2020-8013 Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): permissions-20181116-9.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0302-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1148788,1160594,1160764,1161779,1163922 CVE References: CVE-2019-3687,CVE-2020-8013 Sources used: openSUSE Leap 15.1 (src): permissions-20181116-lp151.4.12.1
What is the security improvement of the update? The binary had no SUID bit. It had 755, now it has 750. Any user with executable mount of /home /vat/tmp or /tmp (the default installation) can easily work-around this change by: cp -a /usr/bin/wireshark . extract dumpcap from rpm PATH=.:$PATH wireshark -k -i - Actually, the update causes new troubles. I need to watch packets on my router. In past, it was possible to dump remote traffic without local root or wireshark group permission via: ssh root@openwrt.lan "tcpdump -i br-lan -U -s0 -w - port not 22" | wireshark -k -i - Now it is not possible.
Hi Stanislav, in your example command you run wireshark, but this change was only about 'dumpcap' - a tool very similar to tcpdump in that example. So I am wondering if it wasn't a different change breaking your workflow. Now to your question: The dumpcap binary is installed with the cap_net_raw and cap_net_admin capabilities - executing it allows reading all network traffic on the system. In a world where everything used only properly encrypted and authenticated protocols, this may be fine (well there'd still be metadata leaks), but unfortunately we live in a world where plenty of software relies on "trusted" networks. Your copy instructions don't include setting file capabilities, so they don't recreate the insecure state - and setting file capabilities would require root privileges.
This change makes virtually wireshark unusable when running as a user (SLES15 SP2 + Workstation extension), unless the user is manually part of wireshark group, which is not discoverable if you check specfile or rpm changelog :( dumpcap doesn't have the needed permissions to run as root and there is no way for the end-user to specify "I have the rights to do network capture" in the GUI (I remember GTK version of wireshark could be started by a root wrapper, which isn't great either, since it means the full GUI was running as root). Fedora workarounds the issue by adding a specific group and an error message for it ( https://src.fedoraproject.org/rpms/wireshark/blob/master/f/wireshark-0002-Customize-permission-denied-error.patch ). Maybe we should include this change.
back to proactive
A sensible error message should be provided indeed. I created a separate bug 1180102 for our wireshark maintainer to take care of this.
Removing AUDIT tag since this is not really an AUDIT and also the original VUL-0 bug should not be reused for the usability issue. Please use bug 1180102 for this.
Released.
This is an autogenerated message for OBS integration: This bug (1148788) was mentioned in https://build.opensuse.org/request/show/931965 15.3 / permissions
openSUSE-SU-2021:1520-1: An update that solves three vulnerabilities and has 27 fixes is now available. Category: security (moderate) Bug References: 1028975,1029961,1093414,1133678,1148788,1150345,1150366,1151190,1157498,1160285,1160764,1161335,1161779,1163588,1167163,1169614,1171164,1171173,1171569,1171580,1171686,1171879,1171882,1173221,1174504,1175720,1175867,1178475,1178476,1183669 CVE References: CVE-2019-3687,CVE-2019-3688,CVE-2020-8013 JIRA References: Sources used: openSUSE Leap 15.3 (src): permissions-20200127-lp153.24.3.1