An internal security audit at SUSE has come across a potential security issue in the check_smart script, a monitoring plugin to check physical hard-, solid sate and NVMe drives.
Since version 6.1, the -d parameter also supports a so-called pseudo device, located at /dev/bus/XX and representing drive(s) behind a raid controller in certain systems. To detect this path in the input, the regular expression was not good enough. This lead to the possibility, that someone could use whatever path as input, as long as it contained the string "/dev/bus" and a number:
$ sudo ./check_smart.pl -d /tmp/dev/bus/99 -i ata
[sudo] password for ck:
UNKNOWN: Drive S/N : No health status line found|
To execute check_smart, sudo privileges are (unfortunately) required. The monitoring plugin launches smartctl in the background. Even though smartctl does not execute the path in any way but rather tries to read from it, it cannot be excluded that some method exists to execute the path.
The regex was fixed in the newest release 6.9.1 and an attempt to use a path outside of /dev/ results in the following error now:
$ sudo ./check_smart.pl -d /tmp/dev/bus/99 -i ata
[sudo] password for ck:
Could not find any valid block/character special device for device /tmp/dev/bus/99 !
As 6.9.1 is a security release, an update is strongly recommended.
Thanks to Wolfgang Frisch from SUSE for the great collaboration and information exchange.
This (security) bug has been published as CVE-2021-42257 on October 11th 2021.
ck from Switzerland wrote on Oct 15th, 2021:
DimeCadmium, no, I was not aware of this. Thank you for your e-mail for reporting this.
DimeCadmium from wrote on Oct 14th, 2021:
Did you also fix your parameter quoting issues (as on display in the oss-security posting)?
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder