|
Message-ID: <40abdc05-0c65-860b-f657-827ba790078d@redhat.com> Date: Tue, 16 Aug 2016 15:38:02 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com Subject: firewalld: Firewall configuration can be modified by any logged in user Hi All, FirewallD provides dbus api for modification of configuration after user has been authenticated via polkit. This does not apply for 5 methods which can be called by any logged user using dbus api or firewall-cmd cli interface. Any predefined policy can be used, server or desktop. list of concerned dbus methods in firewalld.py addPassthrough removePassthrough addEntry removeEntry setEntries Any locally logged in user, could use the above firewalld commands to tamper or change the firewall settings. This flaw was introduced via the following commit: https://github.com/t-woerner/firewalld/commit/6b9867cd5c5e2c83adeec42666521a420e59ef11 It affects all firewalld versions since 0.3.12 We have assigned CVE-2016-5410 to this flaw and this issue was previously disclosed via the linux-distros mailing list. A proposed patch is enclosed with this email. --- a/src/firewall/server/firewalld.py +++ a/src/firewall/server/firewalld.py @@ -61,8 +61,8 @@ class FirewallD(slip.dbus.service.Object): persistent = True """ Make FirewallD persistent. """ - default_polkit_auth_required = config.dbus.PK_ACTION_INFO - """ Use config.dbus.PK_ACTION_INFO as a default """ + default_polkit_auth_required = config.dbus.PK_ACTION_CONFIG + """ Use config.dbus.PK_ACTION_CONFIG as a default """ @handle_exceptions def __init__(self, *args, **kwargs): @@ -2128,6 +2128,7 @@ class FirewallD(slip.dbus.service.Object): # DIRECT PASSTHROUGH (tracked) + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sas', out_signature='') @dbus_handle_exceptions @@ -2141,6 +2142,7 @@ class FirewallD(slip.dbus.service.Object): self.fw.direct.add_passthrough(ipv, args) self.PassthroughAdded(ipv, args) + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sas', out_signature='') @dbus_handle_exceptions @@ -2256,6 +2258,7 @@ class FirewallD(slip.dbus.service.Object): # set entries # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='ss', out_signature='') @dbus_handle_exceptions @@ -2268,6 +2271,7 @@ class FirewallD(slip.dbus.service.Object): self.fw.ipset.add_entry(ipset, entry) self.EntryAdded(ipset, entry) + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='ss', out_signature='') @dbus_handle_exceptions @@ -2301,7 +2305,7 @@ class FirewallD(slip.dbus.service.Object): log.debug1("ipset.getEntries('%s')" % ipset) return self.fw.ipset.get_entries(ipset) - @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='sas') @dbus_handle_exceptions def setEntries(self, ipset, entries, sender=None): # pylint: disable=W0613 -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.