Bug 1032717 - (CVE-2017-7572) VUL-0: CVE-2017-7572: backintime: usage of deprecated unix-process polkit authorization subject opens a race condition during authorization
(CVE-2017-7572)
VUL-0: CVE-2017-7572: backintime: usage of deprecated unix-process polkit aut...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.2
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Tejas Guruswamy
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-06 13:02 UTC by Matthias Gerstner
Modified: 2017-09-04 22:35 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2017-04-06 13:02:27 UTC
backintime includes a DBus service helper 'qt/serviceHelper.py'. This helper
uses polkit to authorize some of its APIs, they should only be accessible
through entering the root password. The helper program uses the deprecated
"unix-process" authorization subject for this purpose, however. This polkit
authorization method is known to be affected by a "time of check, time of use"
race condition:

https://www.freedesktop.org/software/polkit/docs/latest/PolkitUnixProcess.html#polkit-unix-process-new
https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2011/CVE-2011-1485/polkit-pwnage.c

To exploit this issue an attacker needs to be able to replace the PID of
process that requests an affected polkit privilege by a root owned process,
just in time for polkitd to assume that the requesting process was privileged
and no further password entry is required.

In the worst case this could allow a regular user to add udev rules to the
system that run commands in the context of the regular user, once a certain
udev event occurs. I don't think it is easily possible to gain root privileges
this way. This is because the serviceHelper wraps the udev commands in a sudo
call running as the user owning the requesting process. The determination of
this identity is done in a different, more secure way.

I've proposed a fix to upstream that changes the authorization mechanism to
"system-bus-name" which is considered safe and not affected by the described
race condition:

https://github.com/bit-team/backintime/commit/7f208dc547f569b689c888103e3b593a48cd1869

This issue was discovered by Sebastian Krahmer of the SUSE security team.
Comment 1 Matthias Gerstner 2017-04-06 13:13:00 UTC
This issue was found in the context of a general security review for
backintime in bug 1007723. While this issue on its own is not of high severity
the following circumstances call for quick action:

- There are more minor and moderate issues like a possible DoS in the DBus
service. I've created an upstream pull request addressing multiple issues:
https://github.com/bit-team/backintime/pull/727. Updates should be submitted
that contains all these fixes plus the patch from attachment 719151 [details].

- Affected versions of backintime are currently in Factory, Leap 42.1 and Leap
42.2. All these versions contain the DBus service that was never approved by
the security team. This was possible by suppressing the corresponding warnings
in the package's rpmlintrc.

Please submit fixed versions for Factory, Leap 42.1 and Leap 42.2!
Comment 2 Tejas Guruswamy 2017-04-21 05:50:32 UTC
The security fix, further hardening and packaging changes have been backported (to the best of my ability) to backintime 1.1.20, the current upstream release.
Updated package is now in obs://Archiving:Backup/backintime.
Maintenance requests for 42.1 and 42.2 (https://build.opensuse.org/request/show/489654) have been submitted based on this package (so a version update 1.1.6 -> 1.1.20) as the security patches did not apply easily to the earlier versions.

Only the Factory update is waiting.
Which comes first, the dbus service being added to the whitelist or a Factory submitrequest?

I am somewhat puzzled as to how this package was accepted into Factory in the first place, perhaps the submission predated the auto review of rpmlintrc's.
Comment 3 Bernhard Wiedemann 2017-04-21 12:19:43 UTC
This bug (1007723) was mentioned in
https://build.opensuse.org/request/show/489654 42.1+42.2 / backintime
Comment 4 Matthias Gerstner 2017-04-21 13:26:52 UTC
(In reply to masterpatricko@gmail.com from comment #2)

> Updated package is now in obs://Archiving:Backup/backintime.

Thank you for your effort. Looks good!

> Which comes first, the dbus service being added to the whitelist or a
> Factory submitrequest?

I will submit the whitelisting to factory, once the #sr is there you can
submit your package, too. Both submits can then be handled in the same Factory
staging project. I will give you an update when you can do this.

> perhaps the submission predated the auto review of rpmlintrc's.

We've informed the review team of the situation and they want to investigate
on this issue. It's probably some loophole or regression in the checker logic.
Comment 5 Swamp Workflow Management 2017-04-28 13:09:00 UTC
openSUSE-SU-2017:1124-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1007723,1032717
CVE References: CVE-2017-7572
Sources used:
openSUSE Leap 42.2 (src):    backintime-1.1.20-3.3.1
openSUSE Leap 42.1 (src):    backintime-1.1.20-3.1
Comment 6 Bernhard Wiedemann 2017-04-28 14:02:04 UTC
This is an autogenerated message for OBS integration:
This bug (1032717) was mentioned in
https://build.opensuse.org/request/show/491831 Factory / rpmlint
Comment 7 Bernhard Wiedemann 2017-05-03 12:01:00 UTC
This is an autogenerated message for OBS integration:
This bug (1032717) was mentioned in
https://build.opensuse.org/request/show/492617 Factory / polkit-default-privs
Comment 8 Matthias Gerstner 2017-05-08 09:58:26 UTC
The whitelisting is now in factory. Please submit backtintime to
Factory. Thank you.
Comment 9 Tejas Guruswamy 2017-05-17 18:26:35 UTC
Request 495451 has been accepted into Factory. Thanks all.

The request which allowed an rpmlintrc into factory was https://build.opensuse.org/request/show/333210, btw: an automatic submission which does not appear to have been reviewed by the usual bots.
Comment 12 Swamp Workflow Management 2017-09-04 19:08:33 UTC
SUSE-RU-2017:2341-1: An update that has 19 recommended fixes can now be installed.

Category: recommended (low)
Bug References: 1004346,1007053,1007723,1019748,1032649,1032717,1033296,1033554,1034309,1039290,1039709,1039848,1049694,846337,917781,984817,987141,996111,997880
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    rpmlint-1.5-41.3.1, rpmlint-mini-1.8-2.2.3