CVE-2015-1870 in Automatic Bug Reporting Tool
Summary
by MITRE
The event scripts in Automatic Bug Reporting Tool (ABRT) uses world-readable permission on a copy of sosreport file in problem directories, which allows local users to obtain sensitive information from /var/log/messages via unspecified vectors.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/09/2022
The vulnerability identified as CVE-2015-1870 resides within the Automatic Bug Reporting Tool (ABRT) system, specifically concerning how event scripts handle file permissions during sosreport processing. ABRT is designed to automatically collect diagnostic information when system crashes occur, making it a critical component for system administrators to troubleshoot issues. The flaw manifests in the improper handling of file permissions where copies of sosreport files are created with world-readable permissions within problem directories. This misconfiguration creates a significant information disclosure risk as sensitive data that should remain restricted becomes accessible to all local users on the system.
The technical implementation of this vulnerability involves the ABRT event scripts that process crash reports and generate sosreport files containing diagnostic information. When these scripts create copies of sosreport files in problem directories, they fail to properly set file permissions, resulting in world-readable access. This allows any local user to access the copied sosreport files which may contain sensitive information from system logs including /var/log/messages. The unspecified vectors mentioned in the description suggest that the attack surface encompasses various methods by which local users could potentially access these files, including direct file system access, process enumeration, or other local privilege escalation techniques that leverage the world-readable permissions.
From an operational impact perspective, this vulnerability exposes organizations to potential information disclosure attacks that could compromise system security. The /var/log/messages file contains crucial system information including authentication attempts, system errors, security events, and other sensitive operational data that could be exploited by malicious local users. Attackers could potentially use this information to identify system vulnerabilities, understand system configurations, or plan more sophisticated attacks. The exposure of such data through world-readable files undermines the principle of least privilege and could lead to privilege escalation opportunities or targeted attacks against system components that rely on the confidentiality of log data.
The vulnerability aligns with CWE-732: Incorrect Permission Assignment for Critical Resource, which specifically addresses situations where critical system resources are assigned incorrect permissions that allow unauthorized access. This weakness is particularly concerning in the context of the ATT&CK framework under the technique T1005: Data from Local System, where adversaries can collect data from local system files that are improperly protected. The vulnerability also relates to T1082: System Information Discovery, as attackers could gather system information through the exposure of log data that would normally be restricted. Additionally, the flaw contributes to T1210: Exploitation of Remote Services by potentially providing attackers with information that could be used to exploit other system vulnerabilities or plan targeted attacks against system components.
Mitigation strategies should focus on implementing proper file permission controls within the ABRT system. System administrators should ensure that sosreport files and related problem directory contents are created with appropriate restrictive permissions that limit access to authorized users only. The recommended approach includes setting file permissions to 600 or 640 for sensitive files and ensuring that the ABRT event scripts properly handle file creation with appropriate access controls. Regular security audits should verify that no world-readable files exist in problem directories, and automated monitoring systems should be implemented to detect and alert on improper file permissions. Additionally, system hardening measures should include regular updates to ABRT packages to ensure that the latest security patches are applied, and administrators should consider implementing mandatory access controls or file system auditing to further protect sensitive diagnostic information.