A bug in SE Linux[*], http://seclists.org/oss-sec/2015/q1/1011 has been identified. The bug is considered difficult to exploit but, potentially, is a serious risk. So far, the bug is known to exist in Red Hat, Fedora 21 and Ubuntu (version unspecified) but could be extant in other versions too. An exploit has already found its way onto github and is discussed in a blog dated 25 Mar 2015 which links to the github page.
[*] Security-Enhanced Linux (SE Linux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).
This discussion has been archived.
No new comments can be posted.
SE Linux Troubleshooting Tool Contains Bug That Allows Local Root Escalation
|
Log In/Create an Account
| Top
| 15 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 5, Interesting) by Jeremiah Cornelius on Friday March 27 2015, @04:20PM
This is from the NSA. SELinux is and has been an NSA project. [nsa.gov] Do you actually believe they created and sponsored an open-source effort to lock themselves out of platforms they have been documented at compromising for surveillance?
It's not the first time this has been suggested: http://forums.fedoraforum.org/showthread.php?t=171053 [fedoraforum.org]
What may have seemed an overly paranoid "tin-foil" proposition, has only been confirmed for any of those who have deeply investigated document released through the efforts of Edward Snowden.
This type of backdoor is the actual and objective of a dedicated and unprecedented effort at compromising both software [falkvinge.net] and hardware, by this nefarious agency.
That "other place" had a thread about this a couple years back: http://yro.slashdot.org/story/13/07/02/1241246/nsa-backdoors-in-open-source-and-open-standards-what-are-the-odds [slashdot.org]
You're betting on the pantomime horse...
(Score: 2) by Jeremiah Cornelius on Friday March 27 2015, @04:32PM
So. Yes, thats correct: The SELinux system that is only there to protect you,
passes attacker controlled data to sh -c (https://docs.python.org/2/library/commands.html)
inside a daemon running as root. Sacken lassen...
I attached a PoC which uses networkmanager's openvpn plugin to execute
arbitraty commands by triggering an access violation to a pathname
which contains shell commands.
The setroubleshootd_t domain has quite a lot of allowed rules and transitions,
so this can clearly count as privilege escalation. Furthermore a lot
of admins run their system in permissive mode (full root) even when
its shipped enforcing by default.
You're betting on the pantomime horse...
(Score: 3, Informative) by Jeremiah Cornelius on Friday March 27 2015, @04:36PM
https://github.com/stealth/troubleshooter [github.com]
"The framework consists of a lot of Python scripts running as root and/or as a DBUS service. The AVC itself basically decides whether a permission is granted or not, based on the typing and transitioning rules from the policy."
So? Save us also, from the possibility of issues in the required Python libs.
You're betting on the pantomime horse...
(Score: 2, Disagree) by Anonymous Coward on Friday March 27 2015, @04:44PM
The NSA wasn't always as evil as they are today, so don't go making assumptions.
This is not a backdoor in SELinux. SELinux has been around for a very long time, and the package with the vulnerability, "setroublehsoot", is not a core part of SELinux.
Did the NSA write setroubleshoot, then? The AUTHORS [fedorahosted.org] file in the source shows it was written by Dan Walsh [redhat.com] and John Dennis [linkedin.com]. I can't find any information to suggest that they are affiliated with the NSA.
(Score: 5, Insightful) by ikanreed on Friday March 27 2015, @05:08PM
The NSA has never been a monolith. It's an organization that's always been filled with different people approaching the problems, real or fictitious, of national security different ways, with varying degrees of ethical consideration for the rights of those they "protect".
Suffice it to say, we've definitely seen recent evidence of the sociopath element taking advantage of their positions. The CIA, a very similar agency, doing horrible shit has a well documented history that didn't start this century.
(Score: 2) by kaszz on Saturday March 28 2015, @02:05AM
When men in black appear at your door step with a paper asking you "nicely", you will most likely comply. Or they could just simple inject the code when you'r not home or at work.
Thus affiliation is not a requirement.
(Score: 0) by Anonymous Coward on Friday March 27 2015, @08:44PM
OpenBSD got hit by the FBI that way 15 years ago.
http://www.theregister.co.uk/2010/12/15/openbsd_backdoor_claim/ [theregister.co.uk]
Key items:
It went undetected for 10 years. It was only discovered because one of the plants came forward after his NDA expired.
(Score: 0) by Anonymous Coward on Saturday March 28 2015, @07:01AM
I thought this was just a rumor and an audit was done and nothing found?
any evidence?
(Score: 0) by Anonymous Coward on Friday March 27 2015, @10:06PM
Where "deeply investigated" means "I saw something on Slashdot which was an editorial comment about a story linked to Wired, which is their summary about some dude's blog which talks about his interpretation of over-hyped claims from Greenwald." And the sad part is that some other dude will come along, look at a post like yours, and talk about all this "confirmed" shit, which will be the extent that he looks into it, but he'll now feel like he's part of the "deep investigators."
Remember how the NSA surveillance activities were "ruled illegal"? Sounds pretty bad. Particularly since you've got the usual histrionic windbags here who will go on to no end about all this "illegal" activity. But, it is very hard to cite the name of the Federal judge or judicial panel who ruled it illegal. The reason is that this "ruling" came from a government advisory panel [nbcnews.com]. And, they split on their decision 3-2 (or 2-1, or whatever the hell one plus over 50/50 split it was) so it is a stretch to think it is is anywhere near obvious. And, when the NSA says they are operating within the law, which they are (you might not like the laws as they are written, but that is a separate issue), now you know then to be "liars" because we all know that their operations have been "ruled" illegal.
This all brings us back to posts like yours, where you call them out as liars and law breakers. A veritable distorted mountain built from the molehill of a grain of truth that no one remembers because no one wants to remember as it would ruin their pretty little narrative. It's funny. You'd think that careful "deep investigation" would turn this kind of stuff up.
I hope you're not one of those arrogant dicks here who only browse at +1 or more and that you get a chance to see this. As interesting as this site can be, you simply CAN NOT hold less than glowing opinions of Saint Eddie (or greater than contemptuous thoughts for the NSA) here without being modded down. There is simply too much group think for now.
(Score: 5, Funny) by wonkey_monkey on Friday March 27 2015, @04:25PM
SE Linux Troubleshooting Tool Contains Bug That Allows Local Root Escalation
I disabled SELinux, so I'm safe!
systemd is Roko's Basilisk
(Score: 0) by Anonymous Coward on Friday March 27 2015, @06:51PM
Isn't the use of SELinux mandatory in some cases? Isn't SELinux recommended by the NSA for use by dissidents in countries which are enemies of the USA? Because this exploit/backdoor can be used by enemies of the USA too :D
(Score: 5, Informative) by tynin on Friday March 27 2015, @08:54PM
SELinux is needed for FIPS-140 compliance.
(Score: 2) by Leebert on Saturday March 28 2015, @06:04AM
Eh? FIPS 140 is about approved cryptography in federal agencies. Nothing to do with SELinux. Except inasmuch as SELinux itself uses cryptography.
(Score: 2) by tynin on Saturday March 28 2015, @06:52PM
Sorry I was distracted at the time and conflated things. Where I work we must be FIPS compliant to keep certain government groups happy to do business with us and part of that is this test they score you by. There is some silly crap in it, like having a specific MOTD set on the server, but there are other things like running SELinux in such a configuration. FIPS compliance is just part of it. In the end it is all about mandatory access controls and secure encrypted transmission and storage.
(Score: 2) by sjames on Saturday March 28 2015, @08:30AM
*BEGIN RANT*
SELinus is a perfect example of perfect getting in the way of good. By only allowing resources to be under one label, it naturally creates all or nothing scenarios that inevitably result in the rules being relaxed too much over time.
Let's say you have a bunch of files under http_ro which can be read by http_t. Now you need one of those files to be writable by a script that lives in http_t. Your choice is either to grant http_t write access to all of http_ro or create a new lable http_rw and grant the r/w to httpd_t and anything else that still needs to read it. But don't forget to change the scripts so when you have to re-label the filesystem it doesn't break everything and watch out if you ever do an update of Apache (which you must if you don't want to get owned).
Yes, it can be done. SELinux is flexible enough to express any security state you want to express, but it practically begs you to relax the rules. It is well suited to an environment where the absolute security of everything is all important, administrative cost is no object, and taking the server down for a while is always an option. In short, not most environments.
Besides that, it didn't stop Snowden, now did it. I'm guessing even the NSA relacxed a rule or two.
A more ACL like approach (but MAC rather than DAC) for resources (including default labels that work like default ACLS) combined with a better way to specify domain transitions might work a lot better.
But beyond even that, at least until conventions are developed, a system that defaults permissive unless labels and domains are applied (and not by a global script) is far moire likely to actually secure something and not get turned off.
*END RANT*