Bug 11406

Summary:	xinetd - ignores user and group directives for tcpmux services (CVE-2013-4342)
Product:	Mageia	Reporter:	Oden Eriksson <oe>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	balaton, davidwhodgins, luigiwalser, sysadmin-bugs, tmb
Version:	3	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/569768/
Whiteboard:	MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK MGA2-32-OK
Source RPM:		CVE:
Status comment:

Description Oden Eriksson 2013-10-08 11:09:14 CEST

https://bugzilla.redhat.com/show_bug.cgi?id=1006100

" thomas.swan@gmail.com 2013-09-09 22:48:06 EDT

Created attachment 795808 [details]
preliminary patch to set credentials before execve

Description of problem:

If a tcpmux service is enabled, the user and group directives are ignored and the service always runs as root. Verified in the xinetd codebase and affects all active versions of RHEL and Fedora.  Without the fix for CVE-2012-0862, previously exposed non-tcpmux services could run as root bypassing their respective user and group restrictions.

Version-Release number of selected component (if applicable):
2.3.15-6

How reproducible:
Always

Steps to Reproduce:
1. Enabled tcpmux-server 
2. Create a sample tcpmux service

   service testcred
   {
      id = tcpmux-testcred
      disable = no
      user = nobody
      group = nobody
      socket_type = stream
      type = TCPMUXPLUS UNLISTED
      flags = NAMEINARGS
      server = /usr/bin/id
      server_args = id
      wait = no
   }

3. telnet localhost 1
4. type testcred

Actual results:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
testcred 
+Go
uid=0(root) gid=0(root) groups=0(root)

Expected results:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
testcred 
+Go
uid=99(nobody) gid=99(nobody) groups=99(nobody)
"

Reproducible: 

Steps to Reproduce:

Comment 1 Oden Eriksson 2013-10-08 11:09:36 CEST

Fixed packages has been submitted for all.

Comment 2 David Walser 2013-10-08 14:41:04 CEST

Thanks Oden!

Advisory:
========================

Updated xinetd packages fix security vulnerability:

It was found that xinetd ignored the user and group configuration
directives for services running under the tcpmux-server service. This flaw
could cause the associated services to run as root. If there was a flaw in
such a service, a remote attacker could use it to execute arbitrary code
with the privileges of the root user (CVE-2013-4342).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342
https://rhn.redhat.com/errata/RHSA-2013-1409.html
========================

Updated packages in core/updates_testing:
========================
xinetd-2.3.15-1.1.mga2
xinetd-simple-services-2.3.15-1.1.mga2
xinetd-2.3.15-3.1.mga3
xinetd-simple-services-2.3.15-3.1.mga3

from SRPMS:
xinetd-2.3.15-1.1.mga2.src.rpm
xinetd-2.3.15-3.1.mga3.src.rpm

Version: 2 => 3
Assignee: bugsquad => qa-bugs
Summary: CVE-2013-4342: xinetd - ignores user and group directives for tcpmux services => xinetd - ignores user and group directives for tcpmux services (CVE-2013-4342)
Whiteboard: (none) => MGA2TOO
Severity: normal => major

Comment 3 Dave Hodgins 2013-10-08 19:08:59 CEST

Testing complete on Mageia 3 x86_64
Before
# telnet 127.0.0.1 1
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
testcred
+Go
uid=0(root) gid=0(root) groups=0(root)
Connection closed by foreign host.

After installing the update
# telnet 127.0.0.1 1
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
testcred
+Go
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
Connection closed by foreign host.

Note, for step 1, to enable the tcpmux server, create a file such as
]# cat /etc/xinetd.conf/tcpmux
service tcpmux
  {
     type                = INTERNAL
     id                  = tcpmux
     socket_type         = stream
     protocol            = tcp
     user                = root
     wait                = no
  }

In the testcred config file, change the group from nobody to nogroup.

CC: (none) => davidwhodgins
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK has_procedure

Comment 4 Dave Hodgins 2013-10-08 19:13:12 CEST

Advisory 11406.adv committed to svn.

David Walser 2013-10-08 19:22:35 CEST

URL: https://rhn.redhat.com/errata/RHSA-2013-1409.html => http://lwn.net/Vulnerabilities/569768/

Comment 5 Zoltan Balaton 2013-10-09 11:25:03 CEST

Tested on mga2 x86_64 with the procedure described above.
The correct config file for mga2 seems to be:
# cat /etc/xinetd.d/tcpmux 
service tcpmux
{
  type        = INTERNAL
  id          = tcpmux
  socket_type = stream
  protocol    = tcp
  user        = root
  wait        = no
}

service testcred
{
  id = tcpmux-testcred
  disable = no
  user = nobody
  group = nogroup
  socket_type = stream
  type = TCPMUXPLUS UNLISTED
  flags = NAMEINARGS
  server = /bin/id
  server_args = id
  wait = no
}
(diffs are group=nogrup and server=/bin/id)

CC: (none) => balaton
Whiteboard: MGA2TOO MGA3-64-OK has_procedure => MGA2TOO MGA3-64-OK MGA2-64-OK has_procedure

Comment 6 David Walser 2013-10-09 23:33:18 CEST

Tested Mageia 3 i586 with the following config:
[root@luigi xinetd.d]# cat tcpmux-server
service tcpmux
{
  disable       = no
  id              = tcpmux-server
  type              = INTERNAL
  wait                = no
  socket_type         = stream
}
[root@luigi xinetd.d]# cat testcred 
service testcred
{
  id = tcpmux-testcred
  disable = no
  user = nobody
  group = nogroup
  socket_type = stream
  type = TCPMUXPLUS UNLISTED
  flags = NAMEINARGS
  server = /bin/id
  server_args = id
  wait = no
}

And got the following results:
[david@luigi ~]$ telnet localhost 1
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
testcred
+Go
uid=0(root) gid=0(root) groups=0(root)
Connection closed by foreign host.
[david@luigi ~]$ telnet localhost 1
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
testcred
+Go
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
Connection closed by foreign host.

CC: (none) => luigiwalser
Whiteboard: MGA2TOO MGA3-64-OK MGA2-64-OK has_procedure => MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK

Comment 7 David Walser 2013-10-09 23:40:11 CEST

Tested Mageia 2 i586, same config, same results.  Testing complete.  Validating.

Could a sysadmin push these SRPMS to updates.  Advisory is in SVN.
xinetd-2.3.15-1.1.mga2.src.rpm
xinetd-2.3.15-3.1.mga3.src.rpm

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK => MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2013-10-10 00:56:39 CEST

Update pushed:
http://advisories.mageia.org/MGASA-2013-0302.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 9 Oden Eriksson 2013-10-10 07:50:14 CEST

======================================================
Name: CVE-2013-4342
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1006100
Reference: CONFIRM:https://github.com/xinetd-org/xinetd/pull/10
Reference: REDHAT:RHSA-2013:1409
Reference: URL:http://rhn.redhat.com/errata/RHSA-2013-1409.html

xinetd does not enforce the user and group configuration directives
for TCPMUX services, which causes these services to be run as root and
makes it easier for remote attackers to gain privileges by leveraging
another vulnerability in a service.