apparmor: CVE-2017-6507

Debian Bug report logs - #858768
apparmor: CVE-2017-6507

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apparmor: CVE-2017-6507

Date: Sun, 26 Mar 2017 13:48:40 +0200

Source: apparmor
Version: 2.11.0-2
Severity: important
Tags: security upstream
Forwarded: https://launchpad.net/bugs/1668892

Hi,

the following vulnerability was published for apparmor.

CVE-2017-6507[0]:
| An issue was discovered in AppArmor before 2.12. Incorrect handling of
| unknown AppArmor profiles in AppArmor init scripts, upstart jobs,
| and/or systemd unit files allows an attacker to possibly have increased
| attack surfaces of processes that were intended to be confined by
| AppArmor. This is due to the common logic to handle 'restart'
| operations removing AppArmor profiles that aren't found in the typical
| filesystem locations, such as /etc/apparmor.d/. Userspace projects that
| manage their own AppArmor profiles in atypical directories, such as
| what's done by LXD and Docker, are affected by this flaw in the
| AppArmor init script logic.

This should affect as well apparmor as used in Debian as "The
Debian/Ubuntu packaging for the apparmor package is also affected by
this flaw as it attempts to restart AppArmor when configuring a new
AppArmor package."

But I'm not sure if we need to release a DSA for this issue, I'm not
too familiar with apparmor. As I'm not sure what other project apart
LXD and Docker might use profiles in atypical directory.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-6507
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6507
[1] https://launchpad.net/bugs/1668892

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 858768@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@orangeseeds.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 858768@bugs.debian.org

Subject: Re: Bug#858768: apparmor: CVE-2017-6507

Date: Mon, 27 Mar 2017 17:04:33 -0400

[Message part 1 (text/plain, inline)]

Control: found -1 2.7.103-4
Control: notfound -1 2.9.0-3

Here's some more information about that security issue that I could
gleam from testing and other sources.

To reproduce this in wheezy, you first need to install apparmor:

apt-get install apparmor apparmor-profiles
sed -i -e 's/GRUB_CMDLINE_LINUX_DEFAULT="/&security=apparmor /' /etc/default/grub
update-grub
reboot
# check that apparmor is running
sudo service apparmor status

then you can use the reproducer provided here:

https://bugs.launchpad.net/apparmor/+bug/1668892/comments/12

which is, basically:

$ echo "profile test {}" | sudo apparmor_parser -qr
$ sudo grep "test (enforce)" /sys/kernel/security/apparmor/profiles
test (enforce)
$ sudo service apparmor restart
$ sudo grep "test (enforce)" /sys/kernel/security/apparmor/profiles

The above is an edited quote from a wheezy system, which shows wheezy is
vulnerable.

Jessie, on the other hand, does not seem to be vulnerable:

root@jessie:/home/vagrant# echo "profile test {}" | sudo apparmor_parser -qr
root@jessie:/home/vagrant# grep "test (enforce)" /sys/kernel/security/apparmor/profiles
test (enforce)
root@jessie:/home/vagrant# service apparmor restart
root@jessie:/home/vagrant# grep "test (enforce)" /sys/kernel/security/apparmor/profiles
test (enforce)
root@jessie:/home/vagrant# 

It is unclear why wheezy is affected and not jessie.

This issue, however, takes effect only when Apparmor is actually in use
by third-party, non-default rules. This is the case for dynamic rules
loaded by Docker and LXC, for example.

I am not sure Docker is really supported in Debian. The Docker.io
package is badly out of shape and is not in testing anymore. It has 7
opened RC bugs there. It's not in stable and the backport is out of
date, so the impact for docker is limited. Besides, if anyone is
trusting Docker to contain execution, they are probably mistaken
anyways.

LXC, however, is in Debian, all the way back into Wheezy, so it's more
of a concern. The impact here is that people running VMs under LXC would
lose any sort of isolation as soon as apparmor is restarted, either
through a package upgrade or an operator manipulation.

However, according to Wikipedia, kernels before 3.8 do not allow for
proper isolation, and a root user in a LXC could escape into the host,
as root:

    https://en.wikipedia.org/wiki/LXC#Security

This makes the impact of this issue somewhat limited on wheezy, as
there are already other more nasty ways to escape those old and insecure
LXC restrictions. I would be ready to assume that no one runs LXC under
wheezy and assume proper isolation.

Jessie, however, does ship with a kernel newer than 3.8 (3.16) and a 1.0
LXC which is supposed to offer good isolation protection, although it's
not clear to me that the Debian configuration actually does offer this.

I will therefore mark the issue as <no-dsa> (Experimental/unsupported
feature) in wheezy, and recommend to mark the issue as "<not-affected>
(?)" in jessie once my tests are confirmed by a third-party.

A.

[signature.asc (application/pgp-signature, inline)]

Message #23 received at 858768@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: Antoine Beaupre <anarcat@orangeseeds.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 858768@bugs.debian.org

Subject: Re: Bug#858768: apparmor: CVE-2017-6507

Date: Tue, 28 Mar 2017 10:38:41 +0200

Antoine Beaupre:
> Here's some more information about that security issue that I could
> gleam from testing and other sources.

Thanks!

I intend to work on this today, but certainly wouldn't mind if one of
my team-mates took the lead on it (after coordinating with me so we
avoid duplicating work :)

Cheers,
-- 
intrigeri

Message #28 received at 858768-close@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: 858768-close@bugs.debian.org

Subject: Bug#858768: fixed in apparmor 2.11.0-3

Date: Tue, 28 Mar 2017 11:33:50 +0000

Source: apparmor
Source-Version: 2.11.0-3

We believe that the bug you reported is fixed in the latest version of
apparmor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 858768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
intrigeri <intrigeri@debian.org> (supplier of updated apparmor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Mar 2017 10:29:15 +0000
Source: apparmor
Binary: apparmor apparmor-utils apparmor-profiles libapparmor-dev libapparmor1 libapparmor-perl libapache2-mod-apparmor libpam-apparmor apparmor-notify python-libapparmor python3-libapparmor python-apparmor python3-apparmor dh-apparmor apparmor-easyprof
Architecture: source
Version: 2.11.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian AppArmor Team <pkg-apparmor-team@lists.alioth.debian.org>
Changed-By: intrigeri <intrigeri@debian.org>
Closes: 858768
Description: 
 apparmor-easyprof - AppArmor easyprof profiling tool
 apparmor-notify - AppArmor notification system
 apparmor-profiles - profiles for AppArmor Security policies
 apparmor   - user-space parser utility for AppArmor
 apparmor-utils - utilities for controlling AppArmor
 dh-apparmor - AppArmor debhelper routines
 libapache2-mod-apparmor - changehat AppArmor library as an Apache module
 libapparmor1 - changehat AppArmor library
 libapparmor-dev - AppArmor development libraries and header files
 libapparmor-perl - AppArmor library Perl bindings
 libpam-apparmor - changehat AppArmor library as a PAM module
 python3-apparmor - AppArmor Python3 utility library
 python3-libapparmor - AppArmor library Python3 bindings
 python-apparmor - AppArmor Python utility library
 python-libapparmor - AppArmor library Python bindings
Changes:
 apparmor (2.11.0-3) unstable; urgency=medium
 .
   * Fix CVE-2017-6507: don't unload unknown profiles during package
     configuration or when restarting the apparmor init script, upstart job, or
     systemd unit as this could leave processes unconfined (Closes: #858768).
     Changes cherry-picked from Ubuntu's 2.11.0-2ubuntu3:
     - debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
       Remove calls to unload_obsolete_profiles()
     - debian/patches/utils-add-aa-remove-unknown.patch,
       debian/apparmor.install debian/apparmor.manpages: Include a new utility,
       aa-remove-unknown, which can be used to unload unknown profiles. Based
       on an upstream patch but adjusted to source the /lib/apparmor/functions
       shipped in Debian/Ubuntu.
Checksums-Sha1: 
 2ef5a755def67ee644ba7d5440071951554b6277 3098 apparmor_2.11.0-3.dsc
 5c427fb74c1f2ce3acb9f731e1265f44c43e491d 82112 apparmor_2.11.0-3.debian.tar.xz
Checksums-Sha256: 
 9214a631718111bf2a15830bde3ce709ed0f2de4a0d8779a5be47f40bdaa6464 3098 apparmor_2.11.0-3.dsc
 25857dcef3e0866de64545c12b4ed328ed75d7b98462603bcf766b13882a8c66 82112 apparmor_2.11.0-3.debian.tar.xz
Files: 
 632d877fb58a4126c16a3a68fd83b145 3098 admin extra apparmor_2.11.0-3.dsc
 56f5e337a2acb12f9d44529badcf346c 82112 admin extra apparmor_2.11.0-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEcMAxqZeuB0p8dimNy2kI2AAOzf4FAljaRa8ACgkQy2kI2AAO
zf5IxQ//T2wmwtexipxEmwlyh/HKOPSRJyq3TmgXt4Or+5yzCVPruSQRkBR8PQp0
CIDascJB+Q7lC+WIlIX/oicUYRjHWkLGyfpNJ+cjbfK9BJtJnxoOyx0AcaHVyO+2
Aucea8R3wa2qZzzFQKlJPd/JLkSeA+DWNKdwFW38vhbKM7HCtGtIhv3YYtnqXwFt
SiNuuE6MAsfy7UqxQrCBkR5rchEG3HfY6UBgo6EBxfcMtvIF1RaMVuNVsoU2FE+X
o1QzxPdCt5PE7cmyLTT2NRyJZT0q4FNrrXBx932bAME+8ABvieKPoVSoXe0SwUDo
hc6r4HYX4Qn1XNAAte0MQERP61TwnLjLAH5+JlJmdWzoIV2IJknd/aQmu43y8Vtd
0Yy6NybY+1I8Aa+O0hZWDrTBs7ABVP+6XjBWB9f0z0v+pRkETKO39UbKc/vZMQ5g
z836V+3NYsQpTw93cgB9JPtAUr9OqRqo9XxrkBDX00oaE+IRnpCiwWRTJLloDvSj
/e3q/4f69KR14ryrFqIrNmmYw22aCdkJTTOAy4+ouKTRvBQIS5ThY+BC8AsKeT7s
ZvAajnmRt5WpPiVYs81wjL57jNGInTjtNm0WX4Ykwtef7O7xdq/HcyGpCmcwP4ip
vwbz4+bYxJ7gCgLnhlvbau3U56Y55jm5qK+3z14DPzmGF0WaN20=
=4taG
-----END PGP SIGNATURE-----

Message #33 received at 858768@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, Ola Lundqvist <ola@inguza.com>

Cc: Antoine Beaupre <anarcat@orangeseeds.org>, 858768@bugs.debian.org

Subject: Re: Bug#858768: apparmor: CVE-2017-6507

Date: Tue, 28 Mar 2017 14:27:35 +0200

Hi,

Antoine Beaupre:
> Jessie, on the other hand, does not seem to be vulnerable:

From my reading of the code, it seems that Wheezy, Jessie and Stretch
are all vulnerable, but only when using sysvinit. I've just fixed this
issue in sid, and filed an unblock request for Stretch.

But systems running systemd should not be vulnerable, as systemd
doesn't use the "restart" action of initscripts: instead, it runs
"stop" then "start". And the "stop" action in /etc/init.d/apparmor
does not unload profiles (since 2.1+961-0ubuntu2 according to the
changelog). I think this explains why Antoine could not reproduce the
problem on Jessie.

Salvatore: with this in mind, do you think we should fix this problem
in Jessie? If yes, with a DSA or jessie-pu?

Ola: the minimal fix for Wheezy is to cherry-pick the part of r1624
(in Vcs-Bzr) that removes calls to unload_obsolete_profiles, ignoring
the bits about aa-remove-unknown:
https://alioth.debian.org/scm/loggerhead/collab-maint/apparmor/revision/1624

Cheers,
-- 
intrigeri

Message #38 received at 858768@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: intrigeri <intrigeri@debian.org>

Cc: Ola Lundqvist <ola@inguza.com>, Antoine Beaupre <anarcat@orangeseeds.org>, 858768@bugs.debian.org

Subject: Re: Bug#858768: apparmor: CVE-2017-6507

Date: Tue, 28 Mar 2017 14:41:26 +0200

Hi!

On Tue, Mar 28, 2017 at 02:27:35PM +0200, intrigeri wrote:
> Hi,
> 
> Antoine Beaupre:
> > Jessie, on the other hand, does not seem to be vulnerable:
> 
> From my reading of the code, it seems that Wheezy, Jessie and Stretch
> are all vulnerable, but only when using sysvinit. I've just fixed this
> issue in sid, and filed an unblock request for Stretch.
> 
> But systems running systemd should not be vulnerable, as systemd
> doesn't use the "restart" action of initscripts: instead, it runs
> "stop" then "start". And the "stop" action in /etc/init.d/apparmor
> does not unload profiles (since 2.1+961-0ubuntu2 according to the
> changelog). I think this explains why Antoine could not reproduce the
> problem on Jessie.
> 
> Salvatore: with this in mind, do you think we should fix this problem
> in Jessie? If yes, with a DSA or jessie-pu?

Thanks for the analysis. I just have marked the issue as no-dsa, I
think this does not warrant one, but can be fixed in an upcoming point
release.

Thanks a lot for your quick followups.

Regards,
Salvatore

Send a report that this bug log contains spam.