[CVE-2020-26880] root privilege escalation from user sympa by modifying sympa.conf

[Beuc]

Note by admin: this issue is dedicated to measures against CVE-2020-26880.

---

Version

any

Installation method

any

Expected behavior

user 'sympa' only execute specific tasks as root and cannot gain more privileges, following the principles of privileges separation

Actual behavior

user 'sympa' can obtain full root shell access

Additional information

Following up on #943 (comment)

A more concrete vulnerability you document in your patch, is that sympa.conf (as well as its entire directory) is owned by user 'sympa', so an attacker who compromised [the 'sympa' user] can directly edit the main [sympa.conf] and escalate to root.

Given that the configuration file is parsed as root through the setuid sympa_newaliases-wrapper, and can execute arbitrary commands through its backticks syntax, there is an unintentional privilege escalation from sympa to full root shell access.

The information is public in the aforementioned thread hence this bug introduce no confidential information and is reported publicly as well.
(This also allows for CVE assignment for small projects without a CNA able to run a full embargo procedure.)

Mitigations include replacing sympa_newaliases-wrapper by an alternate alias manager, see e.g. https://tribut.de/blog/sympa-and-postfix .

Credits goes to @lightsey .

[ikedas]

Hi @Beuc ,
Please e-mail me. I want to talk with you privately.

[Beuc]

To clarify, the backticks syntax is the most trivial method, but probably not the only one.

The core issue identified here, is running sympa as root with a configuration file modified by the attacker.

[ikedas]

To clarify, the backticks syntax is the most trivial method, but probably not the only one.

The core issue identified here, is running sympa as root with a configuration file modified by the attacker.

Which is the core issue, either that Sympa is running as root or that a configuration file is modified by the attacker?

---

EDIT: @Beuc, I received your mail. I understood the core issue is that
Sympa is running as root even when it should not.

[Beuc]

This was assigned CVE-2020-26880.
(It tracks the combination of both.)

I agree with your understanding.
For clarity here, what I suggested in my mail is to only run /usr/bin/newaliases as root (rather than sympa itself).

Note: I'm acting here as a Debian LTS contributor, so my purpose is to track a known security issue to ensure it will get fixed in Debian eventually, a code audit from an IT security professional would be the proper way to clarify this and get advice on other possible issues in sympa :)

[ikedas]

n.b. This issue #1009 will be treated as the meta-issue while particular measures and analyses will be discussed elsewhere (e.g. #946).

Note: I'm acting here as a Debian LTS contributor, so my purpose is to track a known security issue to ensure it will get fixed in Debian eventually, a code audit from an IT security professional would be the proper way to clarify this and get advice on other possible issues in sympa :)

I understand that. @Beuc, thank you for addressing the point!

[racke]

See also #1086.

[ikedas]

I understand #946 & #1086 fix this issue. I'll close it.