DavFS2: Local privilege escalation — GLSA 201612-02

A vulnerability in DavFS2 allows local users to gain root privileges.

Affected packages

net-fs/davfs2 on all architectures
Affected versions < 1.5.2
Unaffected versions >= 1.5.2

Background

DavFS2 is a file system driver that allows you to mount a WebDAV server as a local disk drive.

Description

DavFS2 installs “/usr/sbin/mount.davfs” as setuid root. This utility uses “system()” to call “/sbin/modprobe”.

While the call to “modprobe” itself cannot be manipulated, a local authenticated user can set the “MODPROBE_OPTIONS” environment variable to pass a user controlled path, allowing the loading of an arbitrary kernel module.

Impact

A local user could gain root privileges.

Workaround

The system administrator should ensure that all modules the “mount.davfs” utility tries to load are loaded upon system boot before any local user can call the utility.

An additional defense measure can be implemented by enabling the Linux kernel module signing feature. This assists in the prevention of arbitrary modules being loaded.

Resolution

All DavFS2 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-fs/davfs2-1.5.2"
 

References

Release date
December 02, 2016

Latest revision
December 02, 2016: 1

Severity
normal

Exploitable
local

Bugzilla entries