Bug#1051896: rkhunter: CVE-2023-4413
On Thu, 14 Sep 2023, 06:00 Francois Marier, wrote: > On 2023-09-13 at 14:15:53, Moritz Mühlenhoff (j...@inutil.org) wrote: > > https://gist.github.com/MatheuZSecurity/16ef0219db8f85f49f945a25d5eb42d7 > > My summary of this is: it's possible to figure out what files/ports/etc. > rkhunter is looking for by looking at the log file. > > That log file is: > > -rw-r- 1 root adm 502K 13 sep 07:41 > rkhunter.log > > and on my machine that means only root and logcheck can see it: > > $ grep adm /etc/group > adm:x:4:logcheck > > Of course, it's also possible to find out what files/ports/etc. rkhunter is > looking for by looking in /usr/share/rkhunter/scripts/ or looking at the > source code > (https://sourceforge.net/p/rkhunter/rkh_code/ci/develop/tree/files/). > > So am I missing something here or is this simply not relevant given the > rkhunter threat model of being an Open Source tool with a public database? > > Francois > I dont think you are missing anything - the cve links to a githab gist which boils down to "i can write a rootkit that rkhunter doesnt detect, because i can find what strings rkhunter looks for in a log" - as you say, the strings are in the source code anyway. And calling this a security issue is a bit odd really. rkhunter detects a number of known rootkits with some quite basic string matching - it cant possibly detect arbitrary variations. possibly they have reported over-interpreted the "hunter" part of the name rkhunter!
Bug#1051896: rkhunter: CVE-2023-4413
On 2023-09-13 at 14:15:53, Moritz Mühlenhoff (j...@inutil.org) wrote: > https://gist.github.com/MatheuZSecurity/16ef0219db8f85f49f945a25d5eb42d7 My summary of this is: it's possible to figure out what files/ports/etc. rkhunter is looking for by looking at the log file. That log file is: -rw-r- 1 root adm 502K 13 sep 07:41 rkhunter.log and on my machine that means only root and logcheck can see it: $ grep adm /etc/group adm:x:4:logcheck Of course, it's also possible to find out what files/ports/etc. rkhunter is looking for by looking in /usr/share/rkhunter/scripts/ or looking at the source code (https://sourceforge.net/p/rkhunter/rkh_code/ci/develop/tree/files/). So am I missing something here or is this simply not relevant given the rkhunter threat model of being an Open Source tool with a public database? Francois
Bug#1051896: rkhunter: CVE-2023-4413
Source: rkhunter X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for rkhunter. CVE-2023-4413[0]: | A vulnerability was found in rkhunter Rootkit Hunter 1.4.4/1.4.6. It | has been classified as problematic. Affected is an unknown function | of the file /var/log/rkhunter.log. The manipulation leads to | sensitive information in log files. An attack has to be approached | locally. The complexity of an attack is rather high. The | exploitability is told to be difficult. The exploit has been | disclosed to the public and may be used. The identifier of this | vulnerability is VDB-237516. https://gist.github.com/MatheuZSecurity/16ef0219db8f85f49f945a25d5eb42d7 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-4413 https://www.cve.org/CVERecord?id=CVE-2023-4413 Please adjust the affected versions in the BTS as needed.
