Critical Server Manager security update

davidep (Davide Principi) 2017-11-03 08:24:19 UTC #1

Summary

A security flaw was found in the password change form of Server Manager. It allows an authenticated user to escalate privileges and execute arbitrary code, that means a malicious local user can take full control of the system.

Affected version

All NethServer 7 versions before 7.4 milestone are affected.

Solution

NethServer 6 and NethServer 7 after 7.4 milestone release are not affected.

If your ns7 system is updated at least to September 8 2017, you can cherry-pick and install the fix with the following command:

yum localinstall http://packages.nethserver.org/nethserver/7.4.1708/base/x86_64/Packages/nethserver-base-3.1.1-1.ns7.noarch.rpm

Bug

https://github.com/NethServer/dev/issues/5367

Further details will be available from the link above on Monday, November 6.

Disclosure process

The disclosure process has been discussed among the @ambassadors_group in private form, during the previous week. The discussion is now publicly available here:

NethServer vulnerability disclosure process

davidep (Davide Principi) 2017-11-03 08:33:28 UTC #2

danb35 (Dan) 2017-11-03 14:56:52 UTC #3

I’ve understood that yum localinstall has been deprecated in favor of yum install for some time now (you can do yum install (URL or filename) as it is), but wouldn’t it be simpler to just do yum update nethserver-base? yum update packagename will only update that package, and any dependencies that that package requires to be updated (so, for example, if nethserver-base-3.1.1-1.ns7 required an updated version of openssl, openssl would be updated too).

robb (Rob Bosch) 2017-11-03 17:52:45 UTC #4

@danb35: You are completely right. It would be best to do a full update of NethServer to the latest patches. However, in every professional environment it is good practice to test updates before installing them on live servers. In that case, a single update can be rolled out faster than a full set of updates.
This bug is quite intrusive and quick patching is needed.
Now you can test and patch this specific security update. It gives the admin a bit of time for all those other updates to roll out.

danb35 (Dan) 2017-11-03 18:11:05 UTC #5

No, that’s not what I’m suggesting at all. I’m saying that if the way to correct the issue is to upgrade to the current nethserver-base, you can do that by just doing yum update nethserver-base. It’s just a shorter and simpler command, with less to mis-type.

davidep (Davide Principi) 2017-11-06 08:35:02 UTC #6

The full disclosure and source code is now publicly available.

The flaw was discovered during the development of the users & groups page prototype of nethserver-cockpit package. @edoardo_spadoni was testing the random password generator when a ' (single quote/apostrophe) caused a suspect warning to appear in the browser console.

Sometimes experimenting with new technologies leads to immediate improvements to existing ones