Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2019-18899: apt-cacher-ng: openSUSE packaging for apt-cacher-ng runs the daemon as root instead of as an unprivileged user
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Matthias Gerstner <mgerstner () suse de>
Date: Mon, 20 Jan 2020 15:50:28 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,
apt-cacher-ng is a caching proxy for downloading packages from
Debian-style software repositories [1]. In the course of a code review
of apt-cacher-ng I noticed a mismatch between upstream configuration and
the configuration used in the openSUSE packaging.
While the upstream configuration expects the daemon to run as the
apt-cacher-ng unprivileged user, the openSUSE packaging ships a
diverging systemd service unit configuration, causing the apt-cacher-ng
daemon to be running as the root user. Apart from a generally increased
attack surface by not lowering privileges this causes the following
security issue:
Although the openSUSE packaging for apt-cacher-ng doesn't employ the
unprivileged apt-cacher-ng user, it still creates it in the system. The
directory /run/apt-cacher-ng is created for the apt-cacher-ng user via
a systemd-tmpfiles configuration file from the upstream sources. This
results in the apt-cacher-ng daemon running as root, which handles files
in /run/apt-cacher-ng which is owned by the apt-cacher-ng user. The
daemon correctly assumes that this directory is safe to handle without
precautions, but this assumption is broken by the bad packaging.
Therefore a compromised apt-cacher-ng user account can perform symlink
attacks in /run/apt-cacher-ng to cause writes to privileged file system
locations by root, once the apt-cacher-ng service is (re)started.
Furthermore the socket path /run/apt-cacher-ng/socket can be replaced by
an attacker owned socket, thereby allowing him to hijack privileged
client connections to apt-cacher-ng. Additional unexplored security
issues could be possible.
An update for the broken packaging will be supplied for openSUSE Leap
15.1. Furthermore, since there is no active maintainer for the package
in openSUSE, the apt-cacher-ng package is removed from the
openSUSE:Factory project and thus from the openSUSE Tumbleweed rolling
release distribution in the future.
[1]: https://wiki.debian.org/AptCacherNg
Cheers
Matthias
--
Matthias Gerstner <matthias.gerstner () suse de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Felix Imendörffer
Attachment:
signature.asc
Description:
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2019-18899: apt-cacher-ng: openSUSE packaging for apt-cacher-ng runs the daemon as root instead of as an unprivileged user Matthias Gerstner (Jan 20)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->