CVE-2022-1348 Logrotate's state file is vulnerable to lock acquisition and release. This could allow for parallel logrotate execution.
The flaw can be exploited by a local attacker by writing log files that cause a specific sequence of actions. On systems that do not use syslog, such as a remote Nginx or Apache server, the attacker can cause log rotation to stop by setting the permissions on a log file to 644. On systems that use syslog, such as Ubuntu and Debian, the attacker can cause log rotation to stop by adding a line to /etc/syslog.conf that redirects all messages to a specific file to a different rotation log.
In both cases, the attacker can then read the targeted log file and find details about the system, such as the root password.
As a precaution, logrotate versions 3.20.0 and above ship with a new state file that does not have a world-readable permission, making it impossible for an unprivileged user to create a state file.
On Debian and Ubuntu, users can upgrade logrotate from the Ubuntu package repository by using the apt-get upgrade command.
On Red Hat and CentOS, users can upgrade logrotate from the Red Hat Package Repository by using the yum upgrade command.
On Debian and Ubuntu, users can upgrade logrotate from the Ubuntu package repository by using the apt-get upgrade command.
SUSE users can upgrade logrotate from the SUSE Linux Enterprise Server or SUSE OpenStack repositories by using the zypper update command.
The following
Debian and Ubuntu
To fix this flaw, the following command can be used:
sudo logrotate -f
The following command can be used to prevent attackers from reading local log files by changing the permissions of a log file:
chattr +i
Timeline
Published on: 05/25/2022 16:15:00 UTC
Last modified on: 06/12/2022 03:15:00 UTC
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-1348
- http://www.openwall.com/lists/oss-security/2022/05/25/3
- http://www.openwall.com/lists/oss-security/2022/05/25/4
- http://www.openwall.com/lists/oss-security/2022/05/25/5
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYEB4F37BY6GLEJKP2EPVAVQ6TA3HQKR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7EHGYRE6DSFSBXQIWYDGTSXKO6IFSJQ/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1348