UNIX Hard Link in FreeRADIUS - #VU50016
Published: January 26, 2021
Vulnerability identifier: #VU50016
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-62
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
FreeRADIUS
FreeRADIUS
Software vendor:
FreeRADIUS Server Project
FreeRADIUS Server Project
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists in the way FreeRadius is being started on the system. The systemd service file for freeradius runs "chown -R" on a directory before it starts:
ExecStartPre=-/bin/chown -R radius.radius /run/radiusd
That can be exploited by the "radius" user to gain root privileges. After the service has been started once, the radius user can place a hard link to a root-owned file in /run/radiusd. If the service is later restarted, then the "chown -R" command will give away ownership of that root-owned file to the "radius" user.
As a result, a local user can execute arbitrary code on the system as root.
Remediation
Install updates from vendor's website.
External links
- https://security.gentoo.org/glsa/202101-27
- https://bugs.gentoo.org/630910
- https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48cd44905411daf0c9914d0df63b387e29e75b10
- https://github.com/FreeRADIUS/freeradius-server/commit/26e412b0f775d7219364fec3c204ba6e5877ff1a
- https://github.com/FreeRADIUS/freeradius-server/commit/b6f8a6fdd456ebfa889b8867317632bd0ac6b887
- https://github.com/FreeRADIUS/freeradius-server/commit/aec8b3e9bbdb67b04fbd3eca8e757e1f114ec613