Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20200120145027.GF10486@f195.suse.de>
Date: Mon, 20 Jan 2020 15:50:28 +0100
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: CVE-2019-18899: apt-cacher-ng: openSUSE packaging for apt-cacher-ng
 runs the daemon as root instead of as an unprivileged user

Hi,

apt-cacher-ng is a caching proxy for downloading packages from
Debian-style software repositories [1]. In the course of a code review
of apt-cacher-ng I noticed a mismatch between upstream configuration and
the configuration used in the openSUSE packaging.

While the upstream configuration expects the daemon to run as the
apt-cacher-ng unprivileged user, the openSUSE packaging ships a
diverging systemd service unit configuration, causing the apt-cacher-ng
daemon to be running as the root user. Apart from a generally increased
attack surface by not lowering privileges this causes the following
security issue:

Although the openSUSE packaging for apt-cacher-ng doesn't employ the
unprivileged apt-cacher-ng user, it still creates it in the system. The
directory /run/apt-cacher-ng is created for the apt-cacher-ng user via
a systemd-tmpfiles configuration file from the upstream sources. This
results in the apt-cacher-ng daemon running as root, which handles files
in /run/apt-cacher-ng which is owned by the apt-cacher-ng user. The
daemon correctly assumes that this directory is safe to handle without
precautions, but this assumption is broken by the bad packaging.

Therefore a compromised apt-cacher-ng user account can perform symlink
attacks in /run/apt-cacher-ng to cause writes to privileged file system
locations by root, once the apt-cacher-ng service is (re)started.
Furthermore the socket path /run/apt-cacher-ng/socket can be replaced by
an attacker owned socket, thereby allowing him to hijack privileged
client connections to apt-cacher-ng. Additional unexplored security
issues could be possible.

An update for the broken packaging will be supplied for openSUSE Leap
15.1. Furthermore, since there is no active maintainer for the package
in openSUSE, the apt-cacher-ng package is removed from the
openSUSE:Factory project and thus from the openSUSE Tumbleweed rolling
release distribution in the future.

[1]: https://wiki.debian.org/AptCacherNg

Cheers

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Felix Imendörffer

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.