Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2021-42257: check_smart.pl: unprivileged user can alter hard drive settings
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Wolfgang Frisch <wolfgang.frisch () suse com>
Date: Thu, 14 Oct 2021 19:47:12 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello oss-security,
during a routine audit of scripts in openSUSE, I discovered a
vulnerability in `check_smart.pl` [4], a plugin for systems monitoring
software to monitor the values of SMART attributes of hard and solid
state drives, using smartmontools in the background.
## Brief
`check_smart.pl` [1][2] from version 6.1 through 6.9 contained an
insufficient input validation that allowed an unprivileged user to
modify SMART settings, disable SMART monitoring entirely, shut down a
drive or degrade a drive's performance by disabling its read cache. The
bug was fixed with the release of version 6.9.1 [3].
## Detailed description
`check_smart.pl` needs to run as root in order to execute `smartctl`.
This is achieved with an entry in `/etc/sudoers`, which allows a lesser
privileged user, e.g. the one the monitoring system runs under, to
execute it. User input that is passed to `smartctl` is sufficiently
validated apart from one minor oversight.
The -d parameter is validated as follows:
if (-b $opt_dl || -c $opt_dl || $opt_dl =~ m/\/dev\/bus\/\d/) {
# OK
} else {
# NOT OK
}
Later on, this parameter is passed verbatim to smartctl:
my $full_command = "$smart_command -d $interface -Hi $device"
So an acceptable device name would be a block special device, a char
special device or match the regex `/dev/bus/\d`. Critically, this regex
matches even when /dev/bus/\d is just a _substring_ of any arbitrary
directory, for example `/tmp/dev/bus/1/sda`.
This can be exploited to pass arbitrary parameters to smartctl, some of
which affect the drive's behavior negatively:
### Steps to reproduce
su -l -s /bin/bash nagios
mkdir -p /tmp/dev/bus/1/
ln -s /dev/sda /tmp/dev/bus/1/
ls -l /tmp/dev/bus/1/sda
/usr/lib/nagios/plugins/check_smart --debug -i auto -d "/tmp/dev/bus/1/sda -s off"
SMART Disabled.
The upstream developer Claudio Kuenzler was very responsive and quickly
remediated the problem with the release of check_smart-6.9.1 [3].
[1] https://github.com/Napsty/check_smart
[2] https://www.claudiokuenzler.com/monitoring-plugins/check_smart.php
[3]
https://www.claudiokuenzler.com/blog/1068/check_smart-6.9.1-security-fix-release-pseudo-device-path
[4] https://bugzilla.suse.com/show_bug.cgi?id=1183057
Best regards,
Wolfgang
--
Wolfgang Frisch <wolfgang.frisch () suse com>
Security Engineer
OpenPGP fingerprint: A2E6 B7D4 53E9 544F BC13 D26B D9B3 56BD 4D4A 2D15
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nuremberg, Germany
(HRB 36809, AG Nürnberg)
Managing Director: Felix Imendörffer
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2021-42257: check_smart.pl: unprivileged user can alter hard drive settings Wolfgang Frisch (Oct 14)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->