Univention Bugzilla – Bug 56324
machine.secret visible in process list via check_univention_joinstatus
Last modified: 2023-11-02 09:12:45 CET
/usr/share/univention-monitoring-client/scripts/check_univention_joinstatus makes LDAP searches every 5 minutes which reveal the /etc/machine.secret via the "-w" CLI argument. → we should provide the password via a password file instead. Original report: --- Hallo Univention-Security-Team, mein Name ist Raphael Kuhn und ich bin Security Engineer für die Firma DriveByte GmbH. Im Zuge eines Security Assessment bei einem Kunden, bin ich vor kurzem in Kontakt mit UCS gekommen. Dabei ist mir aufgefallen, dass das Script /usr/share/univention-monitoring-client/scripts//check_univention_joinstatus ein ldapsearch macht, bei dem das machine.secret geleakt wird. Da das spawnen von prozessen und die dazugehörige command line für jeden eingeloggten benutzer Sichtbar ist, kann das je nach Berechtigung des Systems eine privilege escalation bedeuten. Das machine.secret wird entgegen seiner gesetzten Berechtigungen (read nur als root) daher geleakt. Die prozesse können einfach mit tools wie beispielsweise pspy überwacht werden. Im Fall unseres Assessments, hat das dazu geführt, dass wir mit den Rechten des Systems sensible Informationen (NTHashes etc.) aus LDAP abfragen konnten. Sollte das ein Konfigurationsproblem sein, würde ich mich darüber freuen, wenn sie mir einen Link zu dem Teil der Dokumentation zukommen lassen könnten, in dem die Lösung des Problems beschrieben wird. Sollte es sich nicht um ein konfigurierbares Problem handeln, bitte ich sie darum das Problem zu beheben. In diesem Falle wäre auch die Frage, ob sie das erstellen einer CVE übernehmen, oder ob wir das auf unserer Seite tun sollen. Falls sie das auf ihrer Seite übernehmen, freuen wir uns über Nennung der DriveByte GmbH. Bei Fragen kommen sie gerne auf mich/uns zu.
Insetad of "-w $password" now "-y /etc/machine.secret" is used. univention-monitoring-client.yaml 1745869fc12d | fix(monitoring): prevent machine.secret content to appear in the process list univention-monitoring-client (1.0.2-3) 1745869fc12d | fix(monitoring): prevent machine.secret content to appear in the process list
QA: - machine secret does not appear in process list anymore: OK - advisories: OK - no related tracebacks/errors in logfiles: OK
<https://errata.software-univention.de/#/?erratum=5.0x743>
CVE-2023-38994 was reserved by mitre for this issue. Greetings, DriveByte
[5.0-4] a3cccec9e0 Bug #56324: univention-monitoring-client 1.0.2-4 doc/errata/published/2023-07-19_743_univention-monitoring-client.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) https://www.drive-byte.de/en/blog/simple-yet-effective-the-story-of-some-simple-bugs-that-led-to-the-complete-compromise-of-a-network
Who can make https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38994 public?
(In reply to Florian Best from comment #7) > Who can make https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38994 > public? Hi Florian, this can only be made by mitre. They will publish, as soon as they can find all relevant information online so they can link them. They want the following information: [NAME OF AFFECTED PRODUCT(S)] [AFFECTED AND/OR FIXED VERSION(S)] [PROBLEM TYPE] – must contain at least one: Vulnerability Type, Root Cause, or Impact [DESCRIPTION] (can also be found here: https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_8-1_cve_record_information_requirements https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_8-3_cve_record_reference_requirements) I submitted this bugtracker, the release notes as well as our blog (will be updated soon with your input). It seems like something is still missing (even though I think all requested informations are within the submitted resources).
(In reply to Raphael Kuhn from comment #8) > (In reply to Florian Best from comment #7) > > Who can make https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38994 > > public? > > Hi Florian, > > this can only be made by mitre. They will publish, as soon as they can find > all relevant information online so they can link them. I requested to publish it, which has been done now. > They want the following information: > > [NAME OF AFFECTED PRODUCT(S)] Univention Corporate Server: https://www.cvedetails.com/version-list/20110/57105/1/Univention-Univention-Corporate-Server.html > [AFFECTED AND/OR FIXED VERSION(S)] Affected: UCS 5.0-0, UCS 5.0-1, UCS 5.0-2, UCS 5.0-3, UCS 5.0-4, UCS 5.0-5 Fixed version: UCS 5.0-5-errata743 > [PROBLEM TYPE] – must contain at least one: Vulnerability Type, Root Cause, > or Impact Vulnerabilily Type: Information Disclosure Root cause: Insecure Handling of Passwords Impact: Gain higher privileges, read user password hashes > [DESCRIPTION] The `check_univention_joinstatus` prometheus monitoring script (and other scripts) in UCS 5.0-5 revealed the LDAP plaintext password of the machine account in the process list allowing attackers with local ssh access to gain higher privileges and perform followup attacks. By default, the configuration of UCS does not allow local ssh access for regular users. > (can also be found here: > https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_8- > 1_cve_record_information_requirements > > https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_8- > 3_cve_record_reference_requirements) > > I submitted this bugtracker, the release notes as well as our blog (will be > updated soon with your input). It seems like something is still missing > (even though I think all requested informations are within the submitted > resources). They now published it.
Awesome! Thanks for the support in this matter!