[OpenAFS-announce] Security update for OpenAFS macOS packages from
download.sinenomine.net
Michael Meffie
openafs-info@openafs.org
Wed, 13 Nov 2024 16:46:34 -0500
--Signature=_Wed__13_Nov_2024_16_46_34_-0500_MCdF2exdgC2ZSP.e
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Topic: Security update for pre-built OpenAFS macOS packages from download.s=
inenomine.net
Affected: OpenAFS client versions 1.8.8.1 - 1.8.11 running macOS 11 - 14
with packaging provided by Sine Nomine Associates
SUMMARY
=3D=3D=3D=3D=3D=3D=3D
During internal code review, a privilege escalation vulnerability was
recently discovered in the macOS packaging for the OpenAFS client
provided by Sine Nomine Associates. This vulnerability allows a local
unprivileged user to read or write any file on local disk with root
privileges by sending a specially-crafted XPC request to the OpenAFS
prefpane privileged helper daemon.
There is no security advisory published by OpenAFS itself; the relevant
macOS packaging is not yet included in the releases published by
openafs.org.
IMPACT
=3D=3D=3D=3D=3D=3D
A local unprivileged user can read or write to any local file with root
privileges, effectively allowing an attacker to run arbitrary code.
Files in AFS are not affected, because typically the local root user
does not have write access to any files in AFS. Files protected by
macOS's System Integrity Protection (SIP) cannot be modified even by
root, and so cannot be modified via this vulnerability.
AFFECTED SOFTWARE
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
All releases of macOS OpenAFS .dmg packages distributed via
https://download.sinenomine.net/ starting from 1.8.8.1, up to and
including 1.8.11, for macOS 11 to 14.
FIX
=3D=3D=3D
The issue mentioned in this alert is fixed in the packages provided for Ope=
nAFS
1.8.13, available at:
https://download.sinenomine.net/openafs/bins/1.8.13/macos-12/
https://download.sinenomine.net/openafs/bins/1.8.13/macos-13/
https://download.sinenomine.net/openafs/bins/1.8.13/macos-14/
Source code for the fixed packaging is available from Sine Nomine upon
request.
Sine Nomine recommends that all affected sites upgrade all macOS clients
to OpenAFS 1.8.13 with the macOS packaging provided above. To make sure
all vulnerable code is removed, it is recommended that you first
uninstall any existing OpenAFS client using the uninstaller script in
1.8.13, not the uninstaller script in the installed OpenAFS client. For
example, if OpenAFS 1.8.11 is installed, use the uninstaller script from
1.8.13; it is designed to work even though it is for a different
version. Then install OpenAFS 1.8.13, and reboot the system.
If you simply uninstall an older version of the OpenAFS client instead
of upgrading, you must also use the uninstaller script included with
version 1.8.13, not the uninstaller script in the installed OpenAFS
client.
If you have already uninstalled OpenAFS using the uninstaller script
from an older version, follow the instructions in WORKAROUNDS to make
sure the daemon has been removed from your system.
WORKAROUNDS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
To avoid this issue without upgrading (or after uninstalling OpenAFS),
you can prevent the privileged helper daemon from running by running the
following commands:
$ sudo launchctl unload -w /Library/LaunchDaemons/privhelper-launchd.plist
$ sudo rm -f /Library/LaunchDaemons/privhelper-launchd.plist
$ sudo rm -f /Library/PrivilegedHelperTools/org.openafs.privhelper
To check that the daemon is no longer running, run:
$ ps -ef | grep "org[.]openafs[.]privhelper"
If the daemon is no longer running, this command should show no output.
If the daemon is still running, the output will look similar to this:
$ ps -ef | grep "org[.]openafs[.]privhelper"
0 118 1 0 9:35AM ?? 0:00.01 /Library/PrivilegedHelperTools/org.openafs.priv=
helper
Removing this daemon will prevent the OpenAFS prefpane plugin from
working properly, as well as the OpenAFS menu bar. To restore this
functionality, upgrade to the 1.8.13 OpenAFS client.
DETAILS
=3D=3D=3D=3D=3D=3D=3D
The OpenAFS prefpane plugin needs to perform some operations as root, such =
as
modifying OpenAFS client configuration, starting and stopping the OpenAFS
client, etc. macOS version 10.7 removed the interfaces used by the upstream
OpenAFS prefpane plugin to run privileged operations, and Sine Nomine updat=
ed
the macOS packaging to communicate with a separate privileged helper daemon
using XPC.
The privileged helper daemon provided in this new packaging did not properly
verify that XPC requests came from the OpenAFS prefpane plugin or menu bar =
and
were authorized to run commands as root, allowing any local user to provide
specially crafted requests to cause the privileged helper daemon to write to
any path as root. The fixed packaging updates the privileged helper daemon =
to
verify the code signature of incoming XPC requests, and requires each reque=
st
to provide authorization for running commands as root.
Sincerely,
Sine Nomine Associates
--=20
Michael Meffie <mmeffie@sinenomine.net>
--Signature=_Wed__13_Nov_2024_16_46_34_-0500_MCdF2exdgC2ZSP.e
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEbbGcmVrDMbnvzVLiUUBNRtV75AYFAmc1HjoACgkQUUBNRtV7
5AbN9Qv+MgPoIdlwZMWYGaVTYtJEMUpVBOcVuMDkzt3HOizzNgUHo1TkNaBwToih
hW1vucQnES9JmGqUbbwTFaXghP89XkipYaAl8CXMkKpiXva6kPYYV837xPvDy8O7
7EseIh44ZbmtCW7LRqNVFdpcMhnO+b2/Od507holxGzO/J2ycgTQDe9HRHVgPvqg
fDNX3pUYLe+lty3vFn8DZIeB9TOAgYH9K0+6vJ8/H+wiZWTbIE5JkkCG7KyVKD16
KxCvJiMyTS+sYAFf0a94BP9QN3V+gTNMdr7NJrFiPcNPNEfHywYXXjp4XaJMDUIi
MM+DTt/SJg0tBqXoFsyZqe3r4/X8pbOzHpMZv7tMRhk1TNQLnoyZ2DJiRnov46mq
SWeteqLSFOt/AZreHMqjhm2e7CE7Xaa1uLDiqnTzdVOQvkk5p9sZFXIUwstc9opR
A84DfKIK+1nBBJ46n8mucR6PWUx28QW9rnVrKVwfBwVuD3Jlgdfyi+XdhTrt1Rgd
HT1oLTpL
=JdDy
-----END PGP SIGNATURE-----
--Signature=_Wed__13_Nov_2024_16_46_34_-0500_MCdF2exdgC2ZSP.e--