Bugzilla – Bug 1156309
VUL-0: CVE-2019-3698: nagios: /etc/cron.weekly/nagios allows privilege escalation from nagios to root
Last modified: 2024-05-14 08:30:06 UTC
A finding from bug 1150550: The cron job in /etc/cron.weekly/nagios allows the 'nagios' user to escalate privileges to 'root' by placing symlinks in /var/log/nagios/archives. The cron job is not performing its logic by default, which is good. Only when NAGIOS_COMPRESS_LOGFILES is set in /etc/sysconfig/nagios. The cron job is a SUSE specific file that is not coming from upstream. To fix it we need to run the relevant commands in the 'nagios' user context e.g. by using 'sudo'. The exact vulnerability is that the cron job basically calls "/usr/bin/bzip2" on files in /var/log/nagios/archives/*.log. Since both /var/log/nagios and /var/log/nagios/archives are owned by 'nagios', the 'nagios' user can place symlinks there. 'bzip2' contains some sanity checks but uses racy system calls like stat/lstat/open to implement them. The following bad things could happen: 1) A DoS against cron can be implemented e.g. by placing a FIFO in /var/log/nagios/archives/some.log. bzip2 will then try to open this FIFO which will block forever. 2) It could be used to deduce file existence of private files, because bzip2 reacts different to a broken symlink than to a valid symlink. The output of bzip2 is however only mailed to root. Maybe the result could also be observed by other means by an attacker. 3) When the attacker wins a race against bzip2 then private files could leak. When replacing the input file by a symlink e.g. to /root/.bash_history then bzip2 would compress the file and write the result to /var/log/nagios/archives. This only works if the private file allows group read or world read, however. 4) It allows to corrupt any files in the system that end on *.log by replacing the /var/log/nagios/archives directory with a symlink to the directory that contains the *.log file. The most serious is probably 3) but the race is difficult to win and since the cron job only runs once a week the attack surface is luckily small. Since this is a SUSE specific cron job our security team will have to assign a CVE ourselves.
All codestreams are affected by this, only in SLE-11 does the cron job look a bit different but it has the same basic vulnerability in it.
Created attachment 823818 [details] Proposed patch for nagios cronjob Attached patch should: 1) try to get the configured nagios_user from the main nagios configuration file 2) fallback to the user 'nagios' if 1) does not lead to a result 3) call the bzip command via 'su --login $NAGIOS_USER --command...' to run as nagios user
Matthias: would the patch from comment #2 solve the issue from your point of view?
(In reply to Lars Vogdt from comment #3) > Matthias: would the patch from comment #2 solve the issue from your point of > view? It will solve the issue. However, I don't recommend to use `su` or `sudo` after all. Discussing this in the security team we found it is better to use `setpriv` instead. The reason for this is that `su` and `sudo` use the PAM stack which can cause side effects or produce undesirable log messages. A setpriv call for your purpose would look like this: ``` setpriv --init-groups --ruid $NAGIOS_USER --rgid $NAGIOS_USER \ --inh-caps -all --reset-env /usr/bin/bzip2 "$f" ``` Can you please adjust your patch accoringly? Otherwise it looks good, thank you!
Please use CVE-2019-3698 for this
(In reply to lars.vogdt@suse.com from comment #3) > Matthias: would the patch from comment #2 solve the issue from your point of view? Lars, have you been able to come up with an adjusted patch, as suggested in comment 4 yet? Can you please submit updates for all codestreams? Thank you.
According to our disclosure policy [1] and the CRD date communicated in comment 7 the embargo has now ended. I'm publishing this bug, removing the embargo tag. Since I intend to soon add badness to the new rpmlint-check for cron jobs, the nagios package will soon fail to build without a whitelisting, which depends on the bugfix discussed in this bug. [1]: https://en.opensuse.org/openSUSE:Security_disclosure_policy
This is an autogenerated message for OBS integration: This bug (1156309) was mentioned in https://build.opensuse.org/request/show/791853 Factory / nagios https://build.opensuse.org/request/show/791855 15.1 / nagios
This is an autogenerated message for OBS integration: This bug (1156309) was mentioned in https://build.opensuse.org/request/show/791861 15.1 / ansible+nagios
openSUSE-SU-2020:0500-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1028975,1119832,1156309 CVE References: CVE-2018-13441,CVE-2018-13457,CVE-2018-13458,CVE-2018-18245,CVE-2019-3698 Sources used: openSUSE Leap 15.1 (src): nagios-4.4.5-lp151.5.4.1
openSUSE-SU-2020:0517-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1028975,1119832,1156309 CVE References: CVE-2018-13441,CVE-2018-13457,CVE-2018-13458,CVE-2018-18245,CVE-2019-3698 Sources used: openSUSE Backports SLE-15-SP1 (src): nagios-4.4.5-bp151.4.3.1
updates released
SUSE-SU-2022:3576-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1014637,1156309 CVE References: CVE-2016-9566,CVE-2019-3698 JIRA References: Sources used: SUSE Manager Tools 12 (src): icinga-1.13.3-12.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1629-1: An update that solves two vulnerabilities and contains one feature can now be installed. Category: security (moderate) Bug References: 1014637, 1156309 CVE References: CVE-2016-9566, CVE-2019-3698 Jira References: MSQA-775 Maintenance Incident: [SUSE:Maintenance:33763](https://smelt.suse.de/incident/33763/) Sources used: SUSE Manager Client Tools for SLE 12 (src): grafana-sap-providers-1.1-1.7.1, grafana-sap-netweaver-dashboards-1.0.3+git.1601889366.9f71957-1.10.1, icinga-1.13.3-12.8.1, grafana-ha-cluster-dashboards-1.1.0+git.1605027022.a84d536-1.10.1, hwdata-0.314-10.14.1, zeromq-4.0.4-15.8.1, sysuser-tools-2.0-1.9.1 SUSE Manager Client Tools Beta for SLE 12 (src): grafana-sap-providers-1.1-1.7.1, grafana-sap-netweaver-dashboards-1.0.3+git.1601889366.9f71957-1.10.1, icinga-1.13.3-12.8.1, grafana-ha-cluster-dashboards-1.1.0+git.1605027022.a84d536-1.10.1, zeromq-4.0.4-15.8.1, sysuser-tools-2.0-1.9.1 Advanced Systems Management Module 12 (src): zeromq-4.0.4-15.8.1 Containers Module 12 (src): sysuser-tools-2.0-1.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): sysuser-tools-2.0-1.9.1, grafana-sap-netweaver-dashboards-1.0.3+git.1601889366.9f71957-1.10.1, grafana-ha-cluster-dashboards-1.1.0+git.1605027022.a84d536-1.10.1, grafana-sap-providers-1.1-1.7.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): zeromq-4.0.4-15.8.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): sysuser-tools-2.0-1.9.1 SUSE Linux Enterprise Server 12 SP5 (src): sysuser-tools-2.0-1.9.1 SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): zeromq-4.0.4-15.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.