Bugzilla – Bug 1172731
VUL-0: CVE-2020-8024: hylafax+: Problematic permissions allow escalation from uucp to other users
Last modified: 2020-10-23 16:17:43 UTC
Found by Matthias Gerstner. Most problematic is uucp:uucp -rwxr-xr-x /usr/lib64/libfaxserver.so.7.0.2 uucp can easily extend libfaxserver.so.7.0.2 to run arbitrary code. Example: # id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # /usr/sbin/faxq I'm a backdoor Please set the permissions to root.root.
This issue will be handled according to our disclosure policy outlined in https://en.opensuse.org/openSUSE:Security_disclosure_policy The information listed here is not public. Please - do not talk to other people about this unless they're involved in fixing the issue In accordance with our policy we will make this issue public latest at Internal CRD: 2020-09-07 or earlier This is the latest possible date and we prefer to make it public earlier if the situation allows it. This is an internal finding, you can make it public whenever you have a fix ready
This issue is branched to https://build.opensuse.org/package/show/home:DocB:branches:network:telephony/hylafax+ and should already be corrected. please check
(In reply to Axel Braun from comment #2) I made the bug public. The repo doesn't seem to exist, can you please check?
(In reply to Johannes Segitz from comment #3) > (In reply to Axel Braun from comment #2) > I made the bug public. The repo doesn't seem to exist, can you please check? It does. The link conversion in boo omits the '+' in the end. Just add it and you are there....
This is an autogenerated message for OBS integration: This bug (1172731) was mentioned in https://build.opensuse.org/request/show/815980 15.2 / hylafax+
This is an autogenerated message for OBS integration: This bug (1172731) was mentioned in https://build.opensuse.org/request/show/816416 15.2 / hylafax+
Thanks for the submission. Sorry for the delay, didn't see your reply in my mails (we had some issues there). I don't think that this is sufficient. uucp can still change the binaries below /etc/hylafax/faxmail/application. I would suggest to have root own all below /etc/hylafax. Also /var/spool/hylafax still belongs to uucp. With this uucp can still remove binaries from e.g. /var/spool/hylafax/bin and add his own there. For /var/spool/hylafax and below the default owner should be root, with exceptions being clearly defined Also Leap 15.1 still needs a submission please :)
(In reply to Johannes Segitz from comment #7) > Thanks for the submission. Sorry for the delay, didn't see your reply in my > mails (we had some issues there). > > I don't think that this is sufficient. uucp can still change the binaries > below /etc/hylafax/faxmail/application. I would suggest to have root own all > below /etc/hylafax. changed > Also /var/spool/hylafax still belongs to uucp. With this uucp can still > remove binaries from e.g. /var/spool/hylafax/bin and add his own there. For > /var/spool/hylafax and below the default owner should be root, with > exceptions being clearly defined I have done a couple of tests and fine-tuned the ownership: https://build.opensuse.org/package/show/home:DocB:branches:network:telephony/hylafax+ You may want to review the settings, but from my tests so far it looks good > Also Leap 15.1 still needs a submission please :) Sure :-)
https://build.opensuse.org/request/show/818994 should fix the permissions
This is an autogenerated message for OBS integration: This bug (1172731) was mentioned in https://build.opensuse.org/request/show/819005 15.1 / hylafax+ https://build.opensuse.org/request/show/819006 15.2 / hylafax+
openSUSE-SU-2020:0958-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1172731 CVE References: CVE-2020-8024 Sources used: openSUSE Leap 15.1 (src): hylafax+-7.0.2-lp151.4.3.1
I have submitted https://build.opensuse.org/request/show/825727 containing hylafax 7.0.3 - this should contain the remaining fixes @Johannes - please review and close bug if satisfied
This is an autogenerated message for OBS integration: This bug (1172731) was mentioned in https://build.opensuse.org/request/show/825731 Factory / hylafax+ https://build.opensuse.org/request/show/825733 15.2 / hylafax+ https://build.opensuse.org/request/show/825734 15.1 / hylafax+
(In reply to Axel Braun from comment #12) Thanks for the submissions. The permissions are better, but still not perfect. E.g. in /var/spool/hylafax/bin most files are now owned by root, but genfontmap.ps is not. Why? Postscript is a turing complete language and as this file is used in /usr/sbin/faxsetup this might be used to escalate privileges (didn't try it). Please reorder the file list to have all files with default permissions (e.g. owned by root) at the top and then have the exeptions at the end. Currently it's changed several times, which introduces unnecessary risks and makes it hard to read. Please check if %{faxspool}/config/* %{faxspool}/bin/dict/* %{faxspool}/bin/genfontmap.ps %{faxspool}/bin/auto-rotate.ps %{faxspool}%{_sysconfdir}/dpsprinter.ps %{faxspool}%{_sysconfdir}/cover.templ %{faxspool}%{_sysconfdir}/lutRS18.pcf %{faxspool}%{_sysconfdir}/LiberationSans-25.pcf %config(noreplace) %{faxspool}%{_sysconfdir}/dialrules* really need to be owned by uucp
I have regrouped the permissions and tested them on my local installation - hylafax still works :-) Please review https://build.opensuse.org/package/show/home:DocB:branches:network:telephony/hylafax+ before I submit. Thanks!
(In reply to Axel Braun from comment #15) So I had a look and saw that %dir %{faxspool}/bin/dict is owned by uucp. This is problematic because some dict entries are eval'd and if uucp can edit them then this allows for code execution. E.g. bin/faxrcvd 78 if [ -f "$FILE" ]; then 79 eval echo "$DICTRECEIVEDFROM"; 80 else 81 eval echo "$DICTNOTRECEIVED"; 82 fi This by editing the file for the current locale in /var/spool/hylafax/bin/dict this allows to execute arbitrary code. Please make %{faxspool}/bin/dict root owned I'm pretty sure I can continue to find issues as long as I look ;) But given that fax maybe will not be dominant technology of the 21th century I think that's enough time spent here. So with that last change we can close this bug.
(In reply to Johannes Segitz from comment #16) > > Please make %{faxspool}/bin/dict root owned It was actually...but mentioned in the uucp section as well. Looks like the last wins. > I'm pretty sure I can continue to find issues as long as I look ;) But given > that fax maybe will not be dominant technology of the 21th century I think > that's enough time spent here. So with that last change we can close this > bug. OK, Thanks for your help on this!
This is an autogenerated message for OBS integration: This bug (1172731) was mentioned in https://build.opensuse.org/request/show/842111 15.1 / hylafax+ https://build.opensuse.org/request/show/842112 15.2 / hylafax+
openSUSE-RU-2020:1700-1: An update that fixes one vulnerability is now available. Category: recommended (moderate) Bug References: 1172731 CVE References: CVE-2020-8024 JIRA References: Sources used: openSUSE Leap 15.2 (src): hylafax+-7.0.3-lp152.3.9.1 openSUSE Leap 15.1 (src): hylafax+-7.0.3-lp151.4.9.1
openSUSE-RU-2020:1711-1: An update that fixes one vulnerability is now available. Category: recommended (moderate) Bug References: 1172731 CVE References: CVE-2020-8024 JIRA References: Sources used: openSUSE Backports SLE-15-SP1 (src): hylafax+-7.0.3-bp151.6.8.1
openSUSE-RU-2020:1714-1: An update that fixes one vulnerability is now available. Category: recommended (moderate) Bug References: 1172731 CVE References: CVE-2020-8024 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): hylafax+-7.0.3-bp152.3.8.1