snap policy module can be unloaded, circumventing audio recording restrictions for snaps

Bug #1877102 reported by James Henstridge on 2020-05-06
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pulseaudio (Ubuntu)
Status tracked in Groovy
Xenial
Medium
Jamie Strandboge
Bionic
Medium
Jamie Strandboge
Eoan
Medium
Jamie Strandboge
Focal
Medium
Jamie Strandboge
Groovy
Medium
Jamie Strandboge

Bug Description

This collates information about a security vulnerability discussed in email. It has been assigned CVE-2020-11931.

Ubuntu's PulseAudio package is shipped with a custom "module-snap-policy" module intended to restrict snap confined clients from recording audio unless they have the "audio-record" plug connected. However, it does not restrict access to the "PA_COMMAND_UNLOAD_MODULE" command.

This allows a snap that has only plugged "audio-playback" to request that PulseAudio unload the security policy module, which in turn makes it possible to record audio.

CVE References

James Henstridge (jamesh) wrote :

Attached is a snapcraft.yaml file that can be used to build an exploit snap. With it built and installed, we can see that recording is initially blocked:

    $ record-exploit.parecord /tmp/foo.wav
    Stream error: Access denied

But if we disable the security policy first, we can record:

    $ record-exploit.disable-security
    $ record-exploit.parecord /tmp/foo.wav
    ^C

The snap also exposes a "record-exploit.pactl" command to help demonstrate what is possible from within confinement.

James Henstridge (jamesh) wrote :

Attached is a proposed fix for the vulnerability (at least the focal version). It connects to more hooks to prevent snaps from:
 * requesting the daemon quit
 * listing modules
 * loading modules
 * unloading modules
 * kill clients

It also updates some deprecated libsnapd-glib API usage. With this version installed, the "record-exploit.disable-security" command will fail. Other commands that will fail include:

    record-exploit.pactl list modules
    record-exploit.pactl load-module whatever
    record-exploit.pactl unload-module 1
    record-exploit.pactl exit

(there is no pactl command to test killing clients).

Jamie Strandboge (jdstrand) wrote :

Thanks James! I've assigned this to myself for sponsoring through the -security pocket and issuing a USN. After the USN is issued, are you planning a groovy update?

Changed in pulseaudio (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in pulseaudio (Ubuntu Xenial):
status: New → In Progress
Changed in pulseaudio (Ubuntu Bionic):
status: New → In Progress
Changed in pulseaudio (Ubuntu Eoan):
status: New → In Progress
Changed in pulseaudio (Ubuntu Focal):
status: New → In Progress
Changed in pulseaudio (Ubuntu Groovy):
status: Confirmed → Triaged
Changed in pulseaudio (Ubuntu Xenial):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in pulseaudio (Ubuntu Bionic):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in pulseaudio (Ubuntu Eoan):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in pulseaudio (Ubuntu Focal):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in pulseaudio (Ubuntu Groovy):
assignee: Jamie Strandboge (jdstrand) → nobody
Jamie Strandboge (jdstrand) wrote :

FYI, we need a no change rebuild for snapd-glib 1.49 in xenial and bionic based on the changes to debian/control. I'll be doing that as well.

Jamie Strandboge (jdstrand) wrote :

No change rebuild for -security*

James Henstridge (jamesh) wrote :

Yep. The non *-updates versions in those two releases are not sufficient for the snap policy module to function correctly. IIRC, versions before 2.40 or 2.41 did not properly reconnect if snapd restarted while PulseAudio was running.

Jamie Strandboge (jdstrand) wrote :

FYI, after local testing, I uploaded focal debdiff as is and backports for xenial-eoan to the security ppa. Once built, I'll retest and issue the USN.

Changed in pulseaudio (Ubuntu Xenial):
status: In Progress → Fix Committed
Changed in pulseaudio (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in pulseaudio (Ubuntu Eoan):
status: In Progress → Fix Committed
Changed in pulseaudio (Ubuntu Focal):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pulseaudio - 1:13.99.1-1ubuntu3.2

---------------
pulseaudio (1:13.99.1-1ubuntu3.2) focal-security; urgency=medium

  * SECURITY UPDATE: stop snaps from loading and unloading modules, to
    prevent bypass of audio recording restriction (LP: #1877102)
    - d/p/0407-access-Add-access-control-hooks.patch: make sure access
      hook IDs are non-zero.
    - d/p/0700-modules-add-snappy-policy-module.patch: Prevent snaps from
      controlling modules, terminating the daemon, or disconnecting clients.
    - CVE-2020-11931

 -- James Henstridge <email address hidden> Wed, 29 Apr 2020 18:44:47 +0800

Changed in pulseaudio (Ubuntu Focal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pulseaudio - 1:13.0-1ubuntu1.2

---------------
pulseaudio (1:13.0-1ubuntu1.2) eoan-security; urgency=medium

  * SECURITY UPDATE: stop snaps from loading and unloading modules, to
    prevent bypass of audio recording restriction (LP: #1877102). Patch thanks
    to James Henstridge
    - d/p/0407-access-Add-access-control-hooks.patch: make sure access
      hook IDs are non-zero.
    - d/p/0700-modules-add-snappy-policy-module.patch: Prevent snaps from
      controlling modules, terminating the daemon, or disconnecting clients.
    - CVE-2020-11931
  * debian/control: Build-Depends on libsnapd-glib-dev (>= 1.49)

 -- Jamie Strandboge <email address hidden> Wed, 06 May 2020 21:33:27 +0000

Changed in pulseaudio (Ubuntu Eoan):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pulseaudio - 1:8.0-0ubuntu3.12

---------------
pulseaudio (1:8.0-0ubuntu3.12) xenial-security; urgency=medium

  * SECURITY UPDATE: stop snaps from loading and unloading modules, to
    prevent bypass of audio recording restriction (LP: #1877102). Patch thanks
    to James Henstridge
    - d/p/0407-access-Add-access-control-hooks.patch: make sure access
      hook IDs are non-zero.
    - d/p/0450-modules-add-snappy-policy-module.patch: Prevent snaps from
      controlling modules, terminating the daemon, or disconnecting clients.
    - CVE-2020-11931
  * debian/control: Build-Depends on libsnapd-glib-dev (>= 1.49)

 -- Jamie Strandboge <email address hidden> Thu, 07 May 2020 20:43:53 +0000

Changed in pulseaudio (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pulseaudio - 1:11.1-1ubuntu7.7

---------------
pulseaudio (1:11.1-1ubuntu7.7) bionic-security; urgency=medium

  * SECURITY UPDATE: stop snaps from loading and unloading modules, to
    prevent bypass of audio recording restriction (LP: #1877102). Patch thanks
    to James Henstridge
    - d/p/0407-access-Add-access-control-hooks.patch: make sure access
      hook IDs are non-zero.
    - d/p/0700-modules-add-snappy-policy-module.patch: Prevent snaps from
      controlling modules, terminating the daemon, or disconnecting clients.
    - CVE-2020-11931
  * debian/control: Build-Depends on libsnapd-glib-dev (>= 1.49)

 -- Jamie Strandboge <email address hidden> Wed, 06 May 2020 22:08:56 +0000

Changed in pulseaudio (Ubuntu Bionic):
status: Fix Committed → Fix Released
Changed in pulseaudio (Ubuntu Groovy):
importance: High → Medium
Changed in pulseaudio (Ubuntu Focal):
importance: Undecided → Medium
Changed in pulseaudio (Ubuntu Eoan):
importance: Undecided → Medium
Changed in pulseaudio (Ubuntu Bionic):
importance: Undecided → Medium
Changed in pulseaudio (Ubuntu Xenial):
importance: Undecided → Medium
information type: Private Security → Public Security
Jamie Strandboge (jdstrand) wrote :

I'll apply the focal patch to what is in groovy-proposed.

Changed in pulseaudio (Ubuntu Groovy):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress

The attachment "pulseaudio_13.99.1-1ubuntu3_13.99.1-1ubuntu4.diff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Jamie Strandboge (jdstrand) wrote :

Uploaded https://launchpad.net/ubuntu/+source/pulseaudio/1:13.99.1-1ubuntu5 to groovy based on 1:13.99.1-1ubuntu4 from groovy-proposed.

Changed in pulseaudio (Ubuntu Groovy):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pulseaudio - 1:13.99.1-1ubuntu6

---------------
pulseaudio (1:13.99.1-1ubuntu6) groovy; urgency=medium

  * debian/patches/git_config_upgrade.patch:
     -stream-restore: Forget pre-14.0 stream routing, old configurations are
      incompatible and create routing issues where e.g the speaker despite
      having headset selected (lp: #1866194)
  * debian/rules:
    - enable --enable-stream-restore-clear-old-devices
  * debian/rules:
    - don't let tests fail build on riscv

 -- Sebastien Bacher <email address hidden> Wed, 03 Jun 2020 17:28:51 +0200

Changed in pulseaudio (Ubuntu Groovy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers