In this week’s digest, we discuss the following:
- Canceled async Redis commands leaving open connections;
- An access control issue in polkit that allows a service user to escalate privileges to root;
- A high-severity access control issue in Elementor Pro; and
- Sudo replay as a means of creating audit trails.
CVE-2023-28858: redis-py: Canceled async connections left open
redis-py is a Python interface to the Redis key-value store, supporting various abstract data types. Redis allows client connections to be made over TCP and supports async client handling.
The initial vulnerability, CVE-2023-28858, affecting redis-py versions below 4.5.3, occurs when an async redis command is canceled after the command was sent but before the response was received. This leaves an open connection that can then be used to send response data to an unrelated client. The root cause of the vulnerability is the handling of canceled requests in async clients (client.py). Sent commands will always be awaiting a response, regardless if the command is later canceled.
While the initial vulnerability, CVE-2023-2885, was closed with a fix, a similar issue was reopened, citing that the fix was incomplete and left non-pipeline operations vulnerable. The remaining vulnerability, assigned CVE-2023-28859, was patched in a fix that addressed these data leakage issues in async connections across the board.
- The vulnerability has been addressed in redis-py version 4.5.4. Upgrading to the latest version is the recommended way to fix this issue.
polkit: default config writable for service user
polkit is a toolkit for defining and handling authorizations in Unix-like operating systems and is typically used to allow unprivileged processes to speak to privileged ones.
The vulnerability occurs when polkitd, the default user, is accessed. This user owns the file where polkit rules are stored (with permissions set to 700) and could create rules to grant root privileges.
While polkitd is set to ‘nologin’, this hypothetical attack could lead to root privilege escalation.
The recommended mitigation by the vulnerability reporter was to change the permissions of the files /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d to root:polkitd, 750 to prevent such an occurrence. These changes were merged shortly thereafter.
- For existing installations of polkit, it is recommended to change permissions of the /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d to root:polkitd, 750
- No new releases with this patch have been released at the time of this digest, though it is recommended to upgrade to the latest version of polkit when it is available.
Elementor Pro: high-severity access control issue
Elementor Pro is a popular premium WordPress plugin estimated to be used by over 12 million sites. This plugin provides professional-quality website builders, widgets, and integration with WooCommerce for commercial needs.
The vulnerability–which has not been assigned a CVE when writing this digest–affects WordPress sites with both Elementor Pro and WooCommerce installed. Specifically, it occurs when the update_option function is called by an AJAX action in the WooCommerce module component. The update_option function should only allow a privileged user to update specific shop components. However, the function does not restrict access to a high-privileged user, and user input isn’t validated.
This vulnerability can allow the attacker to access the website’s back-end with a typical WooCommerce customer account. With this, attackers could create an administrator account, change the administrator’s email address, and redirect all traffic to an external site.
- This vulnerability has been addressed in Elementor Pro version 3.11.7. Upgrading to the latest version is the recommended way to fix this issue.
sudo replay: creating audit trails
sudoreplay is a command-line utility that plays back sudo output logs, available in sudo 1.8. It can replay sessions in real-time or at speeds specified in the command line.
In a blog published on Wott, author Viktor Petersson demonstrated how to configure sudoreplay and output sudo logs. With this method, commands run with sudo have an audit trail retrievable with sudoreplay.
As noted in the blog, if the /etc/sudoers file is not locked down properly, users can delete the audit trail by wiping /var/log/sudo-io.
- Shipping logs to a remote server mitigates the risk of having tampered logs instead of storing them locally.