ubuntu-advantage-desktop-daemon (pro client in general) may expose the pro token to other users

Bug #2068944 reported by Marco Trevisan (Treviño)
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-advantage-desktop-daemon (Ubuntu)
Fix Released
High
Marco Trevisan (Treviño)
ubuntu-advantage-tools (Ubuntu)
Triaged
High
Unassigned

Bug Description

While attaching through a desktop application the u-a-desktop-daemon may call pro process via

  /usr/bin/python3 /usr/bin/ua attach ZCAb12TN2..........

And the token is visible to any user able to `ps` the system, potentially causing this info to be leaked.

Just use

  gdbus call --system --dest com.canonical.UbuntuAdvantage \
  --object-path /com/canonical/UbuntuAdvantage/Manager \
  --method com.canonical.UbuntuAdvantage.Manager.Attach "$TOKEN"

and pro client attaching with visible token will be in the result of `ps aux|grep attach`

To prevent this to happen, the attach should pass the token to the client via an environment variable or a not readable --attach-config file.

In fact this happen when even attaching manually, as suggested in the official ubuntu pro website, but I feel it's not what we should ever do since passing a private token via args, may cause it to be leaked.

While for the usage of the pro client itself, it should *always* go through getpass-like or if some other interactive way (if we want keep it readable).

---

One way for the pro client to avoid exposing this for long time as it does now, would be, at least, to just make it re-exec itself when the token is passed as argument. Passing it as an internal env variable instead (better than creating a temporary attach-config, since that would imply IO and so potential slowdown).

---

ProblemType: BugDistroRelease: Ubuntu 22.04
Package: ubuntu-advantage-desktop-daemon 1.10~22.04.1
ProcVersionSignature: Ubuntu 6.8.0-35.35-generic 6.8.4
Uname: Linux 6.8.0-35-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Tue Jun 11 02:39:48 2024
InstallationDate: Installed on 2010-07-10 (5084 days ago)InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429)
RebootRequiredPkgs: Error: path contained symlinks.SourcePackage: ubuntu-advantage-desktop-daemon
UpgradeStatus: Upgraded to jammy on 2020-06-14 (1457 days ago)

CVE References

Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :
Changed in ubuntu-advantage-tools (Ubuntu):
status: New → Triaged
description: updated
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

Not sure if this also affects the API call `u.pro.attach.magic.wait.v1`, where the magic is passed, since in such case we should rely on further user interaction so it shouldn't be really a problem.

However, I guess also the `api` calls should support reading from a file other than stdin

description: updated
description: updated
Changed in ubuntu-advantage-desktop-daemon (Ubuntu):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
status: Triaged → In Progress
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :
description: updated
description: updated
description: updated
description: updated
Changed in ubuntu-advantage-tools (Ubuntu):
assignee: nobody → Sebastien Bacher (seb128)
importance: Undecided → High
status: Triaged → Fix Committed
information type: Private Security → Public Security
Revision history for this message
Mark Esler (eslerm) wrote :

Please refer to this issue as CVE-2024-6388.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-desktop-daemon - 1.12

---------------
ubuntu-advantage-desktop-daemon (1.12) oracular; urgency=medium

  * Pass the token via a private temporary attach config file (lp: #2068944)

 -- Sebastien Bacher <email address hidden> Thu, 27 Jun 2024 14:31:53 +0200

Changed in ubuntu-advantage-desktop-daemon (Ubuntu):
status: In Progress → Fix Released
Changed in ubuntu-advantage-tools (Ubuntu):
assignee: Sebastien Bacher (seb128) → nobody
status: Fix Committed → Invalid
status: Invalid → Triaged
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.