Firewall configuration can be modified by any logged in user

Bug #1617617 reported by Jeremy Bicha on 2016-08-27
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
firewalld (Debian)
Fix Released
Unknown
firewalld (Ubuntu)
Low
Unassigned
Xenial
Low
Unassigned

Bug Description

Copying from the Debian bug:

---
The following vulnerability was published for firewalld.

CVE-2016-5410[0]:
Firewall configuration can be modified by any logged in user

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-5410
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1360135
[2] http://seclists.org/oss-sec/2016/q3/291
[3] https://github.com/t-woerner/firewalld/commit/0371995a58ec4c777960007b7dbee93933f760cb
---

This only affects firewalld >= 0.3.12 & < 0.4.3.3 (so trusty is not affected).

CVE References

Jeremy Bicha (jbicha) on 2016-08-27
Changed in firewalld (Ubuntu Xenial):
status: New → Confirmed
Changed in firewalld (Ubuntu):
status: New → Confirmed
Jeremy Bicha (jbicha) wrote :
Jeremy Bicha (jbicha) wrote :

The only testing I did was ensure the package still builds on xenial.

Changed in firewalld (Debian):
status: Unknown → Fix Released
Jeremy Bicha (jbicha) wrote :

This bug was fixed in the package firewalld - 0.4.3.3-1

---------------
firewalld (0.4.3.3-1) unstable; urgency=medium

  * New upstream release.
    - Fixes CVE-2016-5410: Firewall configuration can be modified by any
      logged in user. (Closes: #834529)

 -- Michael Biebl <email address hidden> Sat, 27 Aug 2016 16:00:36 +0200

Changed in firewalld (Ubuntu):
status: Confirmed → Fix Released
Changed in firewalld (Ubuntu):
importance: Undecided → High
Changed in firewalld (Ubuntu Xenial):
importance: Undecided → High
Changed in firewalld (Ubuntu):
importance: High → Low
Changed in firewalld (Ubuntu Xenial):
importance: High → Low
Seth Arnold (seth-arnold) wrote :

I believe this patch is incomplete; the debdiff appears to cover:

direct.addPassthrough
ipset.addEntry
ipset.removeEntry

direct.removePassthrough looks to be overlooked. (ipset.setEntries is also missing, but I think that feature may not exist in this version.)

Can you please investigate and re-generate the patch if needed?

Thanks

AsciiWolf (asciiwolf) wrote :

Any news?

AsciiWolf (asciiwolf) wrote :

Still not fixed in Xenial!

AsciiWolf (asciiwolf) wrote :

Still not fixed in Xenial.

Lucas Kocia (lkocia) wrote :

Almost the same patch as jbicha's, except with an additional line added to handle direct.removePassthrough as seth-arnold requested. ipset.setEntries does not appear to exist in this version.

Lucas Kocia (lkocia) on 2017-10-26
Changed in firewalld (Ubuntu Xenial):
status: Confirmed → Fix Released
Lucas Kocia (lkocia) wrote :

I've subscribed ubuntu_sponsors in an effort to get this fix to the next xenial SRU release. Until then you can find the patched version on my ppa:

deb http://ppa.launchpad.net/lkocia/firewalld/ubuntu xenial main
deb-src http://ppa.launchpad.net/lkocia/firewalld/ubuntu xenial main

(Add above two lines to your /etc/apt/sources.list)

Jeremy Bicha (jbicha) wrote :

Thank you for helping to make Ubuntu better!

Since this is a proposed security update, I subscribed ubuntu-security-sponsors instead of ubuntu-sponsors.

Lucas Kocia (lkocia) wrote :

Thanks Jeremy.

Is there any movement on this from ubuntu-security-sponsors for SRU? I don't see this on their open bug subscriptions etc.

Marc Deslauriers (mdeslaur) wrote :

@Lucas: you marked the bug as "Fix Released", so it's not appearing on any lists.

I'll set it back to Confirmed.

Changed in firewalld (Ubuntu Xenial):
status: Fix Released → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firewalld - 0.4.0-1ubuntu0.1

---------------
firewalld (0.4.0-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Any logged in user could modify passthrough rules
    and set ipset entries (LP: #1617617)
    - debian/patches/CVE-2016-5410.patch: Enforce appropriate PolicyKit
      authentication requirements, based on upstream 0.4.3.3 commit
    - CVE-2016-5410

 -- Lucas Kocia <email address hidden> Wed, 25 Oct 2017 21:03:52 -0400

Changed in firewalld (Ubuntu Xenial):
status: Confirmed → Fix Released
Seth Arnold (seth-arnold) wrote :

Thanks Lucas, I made some small fixes to the changelog for the -security pocket and to pick a version number that would more accurately reflect the changes (there's more examples at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging ).

The update should be on the mirrors soon.

Thanks

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.