linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: open_by_handle_at and CVE-2020-35501
Date: Thu, 25 Feb 2021 17:14:38 -0500	[thread overview]
Message-ID: <7230785.EvYhyI6sBW@x2> (raw)

Hello,

There was an announcement on the oss-security mail list a week ago:

https://seclists.org/oss-sec/2021/q1/155

regarding auditing of the open_by_handle_at system call. They are using a 
rule like this:

-a always,exit -F path=/path/to/file  -F perm=wr

and expecting that we have an audit record when opened using the 
name_to_handle_at/open_by_handle_at syscall pair. 

I run a study of my system by adding audit rules for each of the syscalls. 
What I found was that the name_to_handle_at seems to be used by systemd and 
it only passes a relative file name. This makes the audit event next to 
useless.

And interestingly I have no events for open_by_handle_at in spite of systemd 
preparing to use it. So, I don't have any idea what the audit event would 
look like.

In any event, they are asking what upstream audit is going to do about this? 
In looking into open_by_handle_at, I found that it was used in an exploit 
against docker some time ago where it was possible to bruteforce the handle. 
Of cource you need CAP_DAC_READ_SEARCH to call it.

https://www.programmersought.com/article/54607139735/

I think we should do something, not sure what. Simply adding the syscall to 
the open perms machinery will get an event, but probably nothing usable. You 
could at least see who is doing it and with what program.

In the meantime, people can use the syscall rules to audit for any occurance. 
I think the default rules do include it.

Cheers,
-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


             reply	other threads:[~2021-02-25 22:14 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-25 22:14 Steve Grubb [this message]
2021-02-25 22:28 ` Paul Moore
2021-03-02 15:10   ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7230785.EvYhyI6sBW@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --subject='Re: open_by_handle_at and CVE-2020-35501' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).