- Dec 19, 2024
Matthias Gerstner
SSSD (System Security Services Daemon) is a suite of daemons dealing with user authentication based on mechanisms like LDAP, Kerberos and FreeIPA. We found privilege escalation paths in a number of helper binaries running with raised Linux capabilities, when privilege separation is enabled. - Dec 9, 2024
Matthias Gerstner
This is the second edition of our new spotlight series. Autumn is always a busy time at SUSE, when new service packs and products are prepared. This results also in an increased amount of review requests arriving for the SUSE security team. This post features a mixture of D-Bus interfaces, Polkit authentication, temporary file handling issues, a small PAM module and setgid-binary, Varlink IPC in systemd as well as some other topics. - Nov 29, 2024
Matthias Gerstner
Stalld is a daemon to prevent starvation of operating system threads on Linux. We discovered a problematic use of a fixed temporary file and other issues in the project, but upstream did not respond to our findings. - Nov 26, 2024
Matthias Gerstner
In tuned version 2.23 new D-Bus methods have been added to its privileged daemon. We identified a couple of issues, including a local root exploit, in the additions. - Nov 26, 2024
Matthias Gerstner
Authentik is a popular open source identity provider that can be self-hosted. While investigating the overall security of the project we discovered a remote timing attack weakness in the code. We also looked at the big picture of security in Authentik. - Oct 4, 2024
Matthias Gerstner
oath-toolkit contains libraries and utilities for managing one-time password (OTP) authentication e.g. as a second factor to password authentication. Its pam_oath.so PAM module performs unsafe operations in directories potentially controlled by unprivileged users, leading to possible privilege escalation. - Sep 18, 2024
Matthias Gerstner
Performance Co-Pilot (PCP) is a system for collecting system performance data and sharing it over the network. We performed a review of its main networking daemon component pmcd, which resulted in the finding of two CVEs and a couple of other noticeable aspects. - Aug 13, 2024
Matthias Gerstner
Although there have been no major security findings in recent months, the SUSE security team has not been inactive. We revisited a couple of packages like Deepin desktop D-Bus services and the Croc file sharing tool, we finalized leftover KDE6 topics, checked up on our openSSH downstream patches, reviewed an age old Emacs setuid binary and looked into an OpenVPN kernel module. - May 22, 2024
Matthias Gerstner
A newly added D-Bus system service for gnome-remote-desktop release 46 exposes the remote desktop private SSL certificate to other local users. - Apr 3, 2024
Matthias Gerstner
The dnf5 D-Bus daemon security issues we found previously have been incompletely fixed. This allows for local DoS, possibly Privilege Escalation. - Apr 2, 2024
Matthias Gerstner, Filippo Bonazzi (proofread)
In the context of the KDE desktop version 6 major release we looked into a series of D-Bus services using Polkit for authentication. This led to a couple of interesting findings and insights. - Mar 4, 2024
Matthias Gerstner
The dnf5 D-Bus service component allows local attackers with access to the system bus to gain root privileges or trigger denial-of-service. - Feb 27, 2024
Matthias Gerstner
The pcp performance analysis toolkit operates as root in directories controlled by the pcp service user, which allows to escalate privileges from pcp user to root. - Jan 22, 2024
Matthias Gerstner
This report deals with HTTP basic auth issues in the darkhttpd project. Darkhttpd is a minimal HTTP web server implemented in the C programming language, for serving static files. - Jan 19, 2024
Matthias Gerstner
This is report about a local denial of service vulnerability in the pam_namespace.so PAM module. This module is part of the core PAM modules that are found in the linux-pam project. - Dec 14, 2023
Matthias Gerstner
This report is about a range of predictable /tmp path issues in various applications in the budgie-extras repository. This repository contains a range of helper applications for the Budgie desktop environment. - Nov 23, 2023
Matthias Gerstner
This report is about the problematic use of fixed temporary paths in the hpps program from the hplip project. Hplip is a collection of utilities for HP printer and scanner devices. - Oct 27, 2023
Matthias Gerstner
This is a report about findings in the Passim local caching server. Passim is a relatively new project for a local caching server that helps distributing publicly available files in local networks to save network bandwidth. - Oct 27, 2023
Matthias Gerstner
During a routine review of the setuid-root binary vmware-user-suid-wrapper from the open-vm-tools repository, a security vulnerability was found. CVE-2023-34059 identifies the capability to hijack file descriptor in open-vm-tools. - Oct 14, 2021
Wolfgang Frisch
check_smart.pl from version 6.1 through 6.9 contained insufficient input validation that allowed any unprivileged local user to modify SMART settings, disable SMART monitoring entirely, shut down a drive or degrade a drive's performance by disabling its read cache.