Bug 29188 - arpwatch new security issue CVE-2021-25321
Summary: arpwatch new security issue CVE-2021-25321
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2021-06-29 18:58 CEST by David Walser
Modified: 2021-07-21 14:24 CEST (History)
3 users (show)

See Also:
Source RPM: arpwatch-2.1a15-21.mga8.src.rpm
CVE: CVE-2021-25321
Status comment:


Attachments

Description David Walser 2021-06-29 18:58:41 CEST
SUSE has issued an advisory on June 28:
https://lists.suse.com/pipermail/sle-security-updates/2021-June/009098.html

We are affected because of the arpwatch-2.1a13-drop_root.diff patch.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-06-29 18:59:02 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-06-29 20:48:21 CEST
This SRPM has no particular maintainer, so having to assign this update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-07-01 14:41:04 CEST
openSUSE has issued an advisory for this today (July 1):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Y7SKTH3533HITV3EN436RULMJP2HHQND/
Comment 3 David Walser 2021-07-01 19:00:17 CEST
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Status comment: (none) => Patch available from openSUSE
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 4 Nicolas Salguero 2021-07-06 11:26:32 CEST
Suggested advisory:
========================

The updated package fixes a security vulnerability:

A UNIX Symbolic Link (Symlink) Following vulnerability in arpwatch of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Factory, Leap 15.2 allows local attackers with control of the runtime user to run arpwatch as to escalate to root upon the next restart of arpwatch. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS arpwatch versions prior to 2.1a15. SUSE Manager Server 4.0 arpwatch versions prior to 2.1a15. SUSE OpenStack Cloud Crowbar 9 arpwatch versions prior to 2.1a15. openSUSE Factory arpwatch version 2.1a15-169.5 and prior versions. openSUSE Leap 15.2 arpwatch version 2.1a15-lp152.5.5 and prior versions. (CVE-2021-25321)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25321
https://lists.suse.com/pipermail/sle-security-updates/2021-June/009098.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Y7SKTH3533HITV3EN436RULMJP2HHQND/
========================

Updated package in core/updates_testing:
========================
arpwatch-2.1a15-21.1.mga8

from SRPM:
arpwatch-2.1a15-21.1.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2021-25321
Status comment: Patch available from openSUSE => (none)

Comment 5 Herman Viaene 2021-07-20 15:38:53 CEST
MGA8-64 Plasma on Lenovo B50
No installation issues.
After altering /etc/sysconfig/arpwatch as per bug 6329 to reflect my LAN
# systemctl start arpwatch
#  systemctl -l status arpwatch
● arpwatch.service - LSB: The arpwatch daemon
     Loaded: loaded (/etc/rc.d/init.d/arpwatch; generated)
     Active: active (exited) since Tue 2021-07-20 15:27:51 CEST; 2s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 19576 ExecStart=/etc/rc.d/init.d/arpwatch start (code=exited, status=0/SUCCESS)
        CPU: 27ms

jul 20 15:27:51 mach5.hviaene.thuis systemd[1]: Starting LSB: The arpwatch daemon...
jul 20 15:27:51 mach5.hviaene.thuis arpwatch[19576]: Starting arpwatch: [  OK  ]
jul 20 15:27:51 mach5.hviaene.thuis systemd[1]: Started LSB: The arpwatch daemon.
jul 20 15:27:51 mach5.hviaene.thuis arpwatch[19585]: Fatal: cannot determine directory of arp.dat
No arpwatch process running.
Checked: there is a file arp.dat in /vat/lib/arpwatch, so that should be OK ????
But https://www.tecmint.com/monitor-ethernet-activity-in-linux/ tells the file should reside in /var/arpwatch ?????
Googling does not get me any further.

CC: (none) => herman.viaene

Comment 6 Dave Hodgins 2021-07-20 20:30:45 CEST
There are problems. First installing the update is renaming the arpwatch owned
file /var/lib/arpwatch/arp.dat to /var/lib/arpwatch/arp.dat.rpmsave and
creating a root owned file in it's place that arpwatch can not update.
Second after fixing that issue, it doesn't seem to be detecting new arp entries.

[root@x3 ~]# arp
Address                  HWtype  HWaddress           Flags Mask            Iface
router                   ether   84:d8:1b:58:e7:4c   C                     eth0
hodgins.homeip.net       ether   00:1e:8c:c5:25:f2   C                     eth0
[root@x3 ~]# arp
Address                  HWtype  HWaddress           Flags Mask            Iface
router                   ether   84:d8:1b:58:e7:4c   C                     eth0
x8t.hodgins.homeip.net   ether   70:66:55:c3:ec:83   C                     eth0
hodgins.homeip.net       ether   00:1e:8c:c5:25:f2   C                     eth0
[root@x3 ~]# systemctl status arpwatch.service 
● arpwatch.service - LSB: The arpwatch daemon
     Loaded: loaded (/etc/rc.d/init.d/arpwatch; generated)
     Active: active (exited) since Tue 2021-07-20 14:22:39 EDT; 3min 31s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 1420 ExecStart=/etc/rc.d/init.d/arpwatch start (code=exited, status=0/SUCCESS)
        CPU: 23ms

Jul 20 14:22:39 x3.hodgins.homeip.net systemd[1]: Starting LSB: The arpwatch daemon...
Jul 20 14:22:39 x3.hodgins.homeip.net arpwatch[1420]: Starting arpwatch: [  OK  ]
Jul 20 14:22:39 x3.hodgins.homeip.net systemd[1]: Started LSB: The arpwatch daemon.

No mail generated by the addition of x8t.hodgins.homeip.net

I'll try some additional debugging to see if I've got a configuration problem
or if it's just not working.

CC: (none) => davidwhodgins

Comment 7 Dave Hodgins 2021-07-20 21:08:34 CEST
After starting the service, the arpwatch daemon exits immediately rather then
continuing running.

Running as root, the command ...
# arpwatch -f /var/lib/arpwatch/arp.dat -i eth0 -n "192.168.10.2/16" -u arpwatch
works (those config settings match my current install). So the problem, besides
the ownership of arp.dat is the way it's being started. 

I'm not sure what's wrong with the current /etc/rc.d/init.d/arpwatch file.
I recommend replacing it with a systemd config file. As it is, it's a
non-functional package.

Keywords: (none) => feedback

Comment 8 Herman Viaene 2021-07-21 14:24:29 CEST
@ Dave
Mine is a fresh install of arpwatch, and I see that the folder arpwatch in /var/lib is owned by user arpwatch, but all the files in it are owned by root
Did a chown and chgrp on the files, but the problem remains.

Note You need to log in before you can comment on or make changes to this bug.