Discussion:
Bug#940848: nfs-utils:CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs
(too old to reply)
Salvatore Bonaccorso
2019-09-20 20:10:01 UTC
Permalink
Source: nfs-utils
Version: 1:1.3.4-2.5
Severity: normal
Tags: security upstream

Hi,

The following vulnerability was published for nfs-utils. Please note
that even thoug the description mentions the SUSE packages in Debian
similarly /var/lib/nfs is used.

CVE-2019-3689[0]:
| The nfs-utils package in SUSE Linux Enterprise Server 12 before and
| including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15
| before and including version 2.1.1-6.10.2 the directory /var/lib/nfs
| is owned by statd:nogroup. This directory contains files owned and
| managed by root. If statd is compromised, it can therefore trick
| processes running with root privileges into creating/overwriting files
| anywhere on the system if fs.protected_symlinks is not set


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-3689
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3689
[1] https://bugzilla.suse.com/show_bug.cgi?id=1150733
[2] https://build.opensuse.org/request/show/731364

Regards,
Salvatore
Sylvain Beucler
2019-09-30 07:40:02 UTC
Permalink
Hi,

I'm in the Debian LTS/ELTS team and considering an update for this issue.

Do you (package maintainers) intend to address it?
Or would you like a patch?

Cheers!
Sylvain
Sylvain Beucler
2019-10-09 14:40:03 UTC
Permalink
Hi,

I submitted the following patch to address this issue:
https://salsa.debian.org/debian/nfs-utils/merge_requests/3/diffs

The source part of the fix was also submitted at:
https://bugzilla.linux-nfs.org/show_bug.cgi?id=338

I intend to push it to LTS/ELTS, I can also prepare an upload for
stable/oldstable if security-team wishes so.
What do you think?

To test:

pp/post_install_checknfs.sh:

#!/bin/sh -ex
if [ -e /var/lib/nfs ]; then
    ls -ld /var/lib/nfs
    if [ "$(dpkg -l | grep ' nfs-common ' | awk '{print $3}')" !=
'1:1.3.4-2.6' ]; then
        exit 0
    fi
    if [ "$(stat -c '%U:%G' /var/lib/nfs)" != 'root:root' ]; then
        exit 1
    fi
fi

sudo piuparts -d bullseye nfs-utils_1.3.4-2.6_amd64.changes
--scriptsdir=$(pwd)/pp
sudo piuparts -d bullseye nfs-utils_1.3.4-2.6_amd64.changes
--scriptsdir=$(pwd)/pp --install-remove-install


Mount NFS with v3 mode to force statd:
$ sudo service rpcinfo stop
$ sudo service rpcinfo start
$ sudo mount -t nfs -o vers=3 127.0.0.1:/media/nfs /mnt/t
$ ps aux | grep statd
Ensure rpc.statd runs as 'statd' (not 'root').

Cheers!
Sylvain Beucler
Debian LTS Team
Sylvain Beucler
2019-10-14 08:10:01 UTC
Permalink
Hi,

Incidentally I contacted SuSE security who agreed that
fs.protected_symlinks is not a valid mitigation
(they will update MITRE).

I also improved the piuparts check:
#!/bin/sh -ex
if [ -e /var/lib/nfs ]; then
    ls -ld /var/lib/nfs
    ls -ld /var/lib/nfs/sm
    if [ "$(dpkg -l | grep ' nfs-common ' | awk '{print $3}')" !=
'1:1.3.4-2.6' ]; then
        exit 0
    fi
    if [ "$(stat -c '%U:%G' /var/lib/nfs)" != 'root:root' ]; then
        exit 1
    fi
    if [ "$(stat -c '%U:%G' /var/lib/nfs/sm)" != 'statd:nogroup' ]; then
        exit 1
    fi
fi

Cheers!
Sylvain
Salvatore Bonaccorso
2020-03-10 10:10:02 UTC
Permalink
Hi Sylvain,
https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e
Thanks for the heads-up on the upstream fix! I commited the fix in our
debian/sid branch. Once the fix is exposed in unstable we can
cherry-pick it as well for stretch and buster.

Regards,
Salvatore

Loading...