Bugzilla – Bug 1199280
VUL-0: CVE-2022-21950: canna: unsafe handling of /tmp/.iroha_unix
Last modified: 2024-05-03 13:23:32 UTC
The canna systemd service uses a publically accessible directory /tmp/.iroha_unix for placing a UNIX domain socket in it. The socket is accessible for all other users in the system. canna ships a systemd-tmpfiles configuration file to create this directory at boot time: /usr/lib/tmpfiles.d/canna-tmpfiles.conf: ``` d /tmp/.iroha_unix 0755 root root - ``` This is necessary, because otherwise arbitrary users in the system could pre-create this directory as long as cannaserver is not running, and cannaserver would be using an unsafe directory for placing its socket. cannaserver itself is attempting to create /tmp/.iroha_unix during startup but tolerates if the directory already exists. It does not run a sanity check on the permissions of this directory, however, so it will happily use an unsafe one. cannaserver does *not* clean up an already existing socket in this directory, however, it will fail to start instead if the socket already exists. The latter was the cause for bug 910933 which has been fixed by changing the canna.service unit like this: canna.service: ``` ExecPre=/bin/rm -rf /tmp/.iroha_unix ExecStart=/usr/sbin/cannaserver -s -u wnn -r /var/lib/canna ExecStopPost=/bin/rm -rf /tmp/.iroha_unix ``` This counteracts the initial idea of the systemd-tmpfiles configuration, because now there exist time windows again when /tmp/.iroha_unix is *not* existing, allowing other local users an attack. I tested an exploit and it is easily possible to wait for /tmp/.iroha_unix to be delete via `inotify_wait()` and then create a world-writable directory of mode 777 but owned by the attacker in its stead. cannaserver will then create its socket in the unsafe directory, the attacker can delete the socket again and place its own fake socket there. This means the attacker can intercept client connections and receive their input data and return back manipulated data. I will suggest a fix for this soon. A proper long-term fix is to to change the directory to /run/canna, there arbitrary users won't be able to stage attacks. For this the Canna.conf file in the build tree would need to be patched to change the UnixSockDir setting appropriately. In this form this is more like a SUSE specific bug. Upstream has no systemd service files and doesn't seem to suggest any integration for Linux. The default value for UnixSockDir is a bad one, however. Also there could be more hardening like sanity checking the socket directory's permissions at startup.
Created attachment 858707 [details] draft patch to move socket directory to /run/canna
The patch in attachment 858707 [details] is a suggestion on how to fix this.
Please use CVE-2022-21950
Affected: - SUSE:SLE-12:Update/canna 3.7p3 - openSUSE:Backports:SLE-15-SP3/canna 3.7p3 - openSUSE:Backports:SLE-15-SP4/canna 3.7p3 - openSUSE:Factory/canna 3.7p3
(In reply to cathy.hu@suse.com from comment #4) > Affected: > - SUSE:SLE-12:Update/canna 3.7p3 I don't think SLE-12 is affected, since the `ExecPre` and `ExecStopPost` lines are missing from the service file there.
Ah thanks, yes you are right. I made a mistake, SUSE:SLE-12:Update/canna is not affected.
Can you please give a time estimation when you will be able to work on this? According to our openSUSE disclosure policy there's a maximum of 90 days before we publish findings. This means if there is no fix until 2022-08-04 then we'll publish this bug an people will be vulnerable.
Internal CRD: 2022-08-04 or earlier
We now have a whitelisting restriction in place for systemd-tmpfiles configruation files in openSUSE:Factory. Since canna has a security issue involving this configuration file I did not whitelist it yet. Thus canna will start to fail to build in Factory in the future. In three weeks the embargo date will be reached at which time we will publish this security issue regardless of whether there is a fix or not.
Publishing this finding now. I will request to remove this package from Factory as it won't be building any more anyway. Please fix this issue, any of the maintainers can do it for Factory, qzhao needs to do it for openSUSE:Backports in SLE.
Requests are in: - openSUSE:Backports:SLE-15-SP3/canna 3.7p3 https://build.opensuse.org/request/show/993831 - openSUSE:Backports:SLE-15-SP4/canna 3.7p3 https://build.opensuse.org/request/show/993827 - openSUSE:Factory/canna 3.7p3 https://build.opensuse.org/request/show/993737 please review.
openSUSE-SU-2022:10090-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1199280 CVE References: CVE-2022-21950 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): canna-3.7p3-bp153.2.3.1
openSUSE-SU-2022:10091-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1199280 CVE References: CVE-2022-21950 JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): canna-3.7p3-bp154.3.3.1
This is an autogenerated message for OBS integration: This bug (1199280) was mentioned in https://build.opensuse.org/request/show/998071 Factory / xemacs-packages
done, closing