Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1051896: rkhunter: CVE-2023-4413
11 views
Skip to first unread message
Moritz Mühlenhoff
Sep 13, 2023, 5:20:05 PM9/13/23
to
Source: rkhunter
X-Debbugs-CC: te...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for rkhunter.
CVE-2023-4413[0]:
| A vulnerability was found in rkhunter Rootkit Hunter 1.4.4/1.4.6. It
| has been classified as problematic. Affected is an unknown function
| of the file /var/log/rkhunter.log. The manipulation leads to
| sensitive information in log files. An attack has to be approached
| locally. The complexity of an attack is rather high. The
| exploitability is told to be difficult. The exploit has been
| disclosed to the public and may be used. The identifier of this
| vulnerability is VDB-237516.
https://gist.github.com/MatheuZSecurity/16ef0219db8f85f49f945a25d5eb42d7
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-4413
https://www.cve.org/CVERecord?id=CVE-2023-4413
Please adjust the affected versions in the BTS as needed.
X-Debbugs-CC: te...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for rkhunter.
CVE-2023-4413[0]:
| A vulnerability was found in rkhunter Rootkit Hunter 1.4.4/1.4.6. It
| has been classified as problematic. Affected is an unknown function
| of the file /var/log/rkhunter.log. The manipulation leads to
| sensitive information in log files. An attack has to be approached
| locally. The complexity of an attack is rather high. The
| exploitability is told to be difficult. The exploit has been
| disclosed to the public and may be used. The identifier of this
| vulnerability is VDB-237516.
https://gist.github.com/MatheuZSecurity/16ef0219db8f85f49f945a25d5eb42d7
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-4413
https://www.cve.org/CVERecord?id=CVE-2023-4413
Please adjust the affected versions in the BTS as needed.
Francois Marier
Sep 14, 2023, 1:10:05 AM9/14/23
to
On 2023-09-13 at 14:15:53, Moritz Mühlenhoff (j...@inutil.org) wrote:
> https://gist.github.com/MatheuZSecurity/16ef0219db8f85f49f945a25d5eb42d7
My summary of this is: it's possible to figure out what files/ports/etc.
rkhunter is looking for by looking at the log file.
That log file is:
-rw-r----- 1 root adm 502K 13 sep 07:41 rkhunter.log
and on my machine that means only root and logcheck can see it:
$ grep adm /etc/group
adm:x:4:logcheck
Of course, it's also possible to find out what files/ports/etc. rkhunter is
looking for by looking in /usr/share/rkhunter/scripts/ or looking at the
source code
(https://sourceforge.net/p/rkhunter/rkh_code/ci/develop/tree/files/).
So am I missing something here or is this simply not relevant given the
rkhunter threat model of being an Open Source tool with a public database?
Francois
> https://gist.github.com/MatheuZSecurity/16ef0219db8f85f49f945a25d5eb42d7
My summary of this is: it's possible to figure out what files/ports/etc.
rkhunter is looking for by looking at the log file.
That log file is:
-rw-r----- 1 root adm 502K 13 sep 07:41 rkhunter.log
and on my machine that means only root and logcheck can see it:
$ grep adm /etc/group
adm:x:4:logcheck
Of course, it's also possible to find out what files/ports/etc. rkhunter is
looking for by looking in /usr/share/rkhunter/scripts/ or looking at the
source code
(https://sourceforge.net/p/rkhunter/rkh_code/ci/develop/tree/files/).
So am I missing something here or is this simply not relevant given the
rkhunter threat model of being an Open Source tool with a public database?
Francois
Richard Lewis
Sep 14, 2023, 7:10:05 AM9/14/23
to
I dont think you are missing anything - the cve links to a githab gist which boils down to "i can write a rootkit that rkhunter doesnt detect, because i can find what strings rkhunter looks for in a log" - as you say, the strings are in the source code anyway. And calling this a security issue is a bit odd really.
rkhunter detects a number of known rootkits with some quite basic string matching - it cant possibly detect arbitrary variations.
possibly they have reported over-interpreted the "hunter" part of the name rkhunter!
0 new messages