So there are problems on multiple levels in the pesign package.

1) the hardening of the systemd service (harden_pesign.service.patch) breaks
   the execution of pesign-authorize. From the journal:

   pesign-authorize[3571]: setfacl: /etc/pki/pesign/: Read-only file system

2) if the pesign-authorize script runs then it is problematic. It runs with
   root privileges and runs setfacl recursively for /run/pesign/* and
   /etc/pki/pesign*/*. Both directories have read-write access for the pesign
   user.

   This is done for each user and group specified in /etc/pesign/users and
   /etc/pesign/groups. This is pesign:pesign by default. I don't know why this
   needs to be a dynamic list of users and groups.

   If a compromised pesign user or group account does something like this:

   root# sudo -u pesign -g pesign ln -s /root /etc/pki/pesign/attack

   Then after pesign-authorize runs all of /root will have ACLs for read-write
   access for pesign:pesign setup. This can be done for any directory using
   symlinks.

   The SUSE specific hardening of the systemd service, apart from breaking the
   script completely, prevents this attack on Tumbleweed.

   In the SLE-15:Update codestream of pesign two similar scripts exist:
   pesign-authorize-users and pesign-authorize-groups. They are also not
   hardened nor broken by hardening there. However, a different bug prevents
   the security issue: The paths are wrong, they are specified as
   /usr/libexec//pesign/pesign-authorize-{users,groups}, while they're
   actually installed in /usr/lib/...

   In SLE-12:Update the vulnerable script does not exist.

   So we got lucky here twice, but upstream the issue still exists. So on
   Fedora the vulnerability is effective as far as I can see.

3) The pesign service drops privileges to pesign:pesign but only after quite
   some code executed in the daemonize() function (setgid(), setgroups() and
   setuid() call). Before that happens `NSS_Init(certdir)` is called, where
   `certdir` is /etc/pki/pesign. This means the daemon is reading in the NSS
   certificates as root. Depending on the NSS implementation this might allow
   to the pesign user to read-in other users certificates that it would
   otherwise not have access to.

   From the strace it looks like the NSS library follows symlinks here:

   openat(AT_FDCWD, "/etc/pki/pesign/cert8.db", O_RDONLY) = 4

Next steps:

a) we need to report 2) and 3) to upstream
b) once we have fix(es) in place, apply them to affected codestreams
c) we need to fix the broken systemd hardening in Tumbleweed
d) we need to fix the broken paths in SLE-15

c) and d) should only be done after the fixes are applied, lest we actually
introduce the vulnerability in 2).

assigning to the maintainer.

For the hardenings the "fix" would be
ReadWritePaths=/etc/pki/
but I think the whole idea should be evaluated to see if this dynamic way of handling access is really necessary.

I am under the impression that there is only one user, pesign, for the daemon bu the authorize script did look fishy.

Red Hat assigned CVE-2022-3560 for the issue. There is no publication date
yet. Let's wait for more news from upstream.

Red Hat Security stated the following just recently:

    sorry about the delay. The upstream will fix that by making using of
    standard permissions on pesign instead of using ACLs.
    Also pesign-authorize will be deprecated and will be remove in future
    releases. Please find the patch attached.

The patch wasn't attached though. Also the maximum CRD will be reached
tomorrow. I try to talk to upstream to find out how to continue here.

linux-distros:

Hello,

a vulnerability was found on pesign demon, please check the description below.
CVE-2022-3560 was assigned to this vulnerability with CVSSv3.1 score of:

7.8/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The planned unembargoe date is Jan 31st. The fix for this issue is
attached to this message.

Description of the issue:

"The pesign deamon started by the systemd service of the pesign
package in vulnerable to a path traversal vulnerability allow a local
privilege escalation. When properly exploited this flaw allows a
malicious unprivileged user with access to pesign user or group can
gain access to higher privileged files and directories."


Marco Benatto
Red Hat Product Security
secalert@redhat.com for urgent response

CRD: 2023-01-31

Created attachment 864606 [details]
patch

Thanks for the patch. Will start to merge the patch into the affected codestreams.

CRD: 2023-01-31 15:00 UTC

Upstream fix:
https://github.com/rhboot/pesign/commit/d8a8c259994d0278c59b30b41758a8dd0abff998

The script was removed right after the release of pesign 116.
https://github.com/rhboot/pesign/commit/09a41248f9f867e9aaf06e890621c392d36b52ec

oss-security:

Hello all,

a local privilege escalation vulnerability was found in pesign. This
vulnerability has been identified by CVE-2022-3560.

Description:

"The pesign deamon started by the systemd service of the pesign
package is vulnerable to a path traversal vulnerability allowing a local
privilege escalation. When properly exploited this flaw allows a
malicious unprivileged user with access to pesign user or group can
gain access to higher privileged files and directories."

CVSSv3.1:7.8/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The patch for this issue is attached to this message.

I'd like to thank Matthias Gerstner from SUSE Security Team for
reporting this issue.

Marco Benatto
Red Hat Product Security
secalert@redhat.com for urgent response

(In reply to Matthias Gerstner from comment #1)
> c) we need to fix the broken systemd hardening in Tumbleweed
> d) we need to fix the broken paths in SLE-15
> 
> c) and d) should only be done after the fixes are applied, lest we actually
> introduce the vulnerability in 2).

Thanks for handling the fix!

Do you also take care of these issues?

(In reply to Matthias Gerstner from comment #18)
> (In reply to Matthias Gerstner from comment #1)
> > c) we need to fix the broken systemd hardening in Tumbleweed
> > d) we need to fix the broken paths in SLE-15
> > 
> > c) and d) should only be done after the fixes are applied, lest we actually
> > introduce the vulnerability in 2).
> 
> Thanks for handling the fix!
> 
> Do you also take care of these issues?

Sure. It's a part of my plan.

While backporting the patch to SLE15, I'm thinking about removing the pesign-authorize-users/groups scripts completely. For SLE/openSUSE, we never use the daemon mode to sign EFI images, and the signing script for the customers also just uses pesign directly. Besides, there was no complaint about the broken path in pesign.service.in, so I wonder if there is any real SLE/openSUSE user of daemon mode.

(In reply to glin@suse.com from comment #20)
> While backporting the patch to SLE15, I'm thinking about removing the pesign-authorize-users/groups scripts completely. For SLE/openSUSE, we never use the daemon mode to sign EFI images, and the signing script for the customers also just uses pesign directly. Besides, there was no complaint about the broken path in pesign.service.in, so I wonder if there is any real SLE/openSUSE user of daemon mode.

Technically this makes sense. The question is what the maintenance reviewers
make out of this, since formally "removal of functionality" is not allowed in
updates. One could argue that it never worked, but well...

Submitted the fix for SLE15, sr#289462.

As for Tumbleweed, upgrading pesign to 116 requires efivar 38 which couldn't be built with LTO/PIE(*), so I'd merge the upstream patch first and upgrade pesign when efivar are ready.

(*) https://bugzilla.suse.com/show_bug.cgi?id=1206388

The pesign fix is also in Factory now.
https://build.opensuse.org/request/show/1063715

Reassign the bug to the security team.

SUSE-SU-2023:0484-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1202933
CVE References: CVE-2022-3560
Sources used:
openSUSE Leap 15.4 (src): pesign-0.112-150000.4.15.1
Basesystem Module 15-SP4 (src): pesign-0.112-150000.4.15.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): pesign-0.112-150000.4.15.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): pesign-0.112-150000.4.15.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): pesign-0.112-150000.4.15.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): pesign-0.112-150000.4.15.1
SUSE Linux Enterprise Real Time 15 SP3 (src): pesign-0.112-150000.4.15.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): pesign-0.112-150000.4.15.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): pesign-0.112-150000.4.15.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): pesign-0.112-150000.4.15.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): pesign-0.112-150000.4.15.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): pesign-0.112-150000.4.15.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): pesign-0.112-150000.4.15.1
SUSE Manager Proxy 4.2 (src): pesign-0.112-150000.4.15.1
SUSE Manager Retail Branch Server 4.2 (src): pesign-0.112-150000.4.15.1
SUSE Manager Server 4.2 (src): pesign-0.112-150000.4.15.1
SUSE Enterprise Storage 7.1 (src): pesign-0.112-150000.4.15.1
SUSE Enterprise Storage 7 (src): pesign-0.112-150000.4.15.1
SUSE CaaS Platform 4.0 (src): pesign-0.112-150000.4.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.