[Aide] CVE-2021-45417 - aide (>= 0.13 <= 0.17.3): heap-based buffer overflow vulnerability in base64 functions

Hannes von Haugwitz hannes at vonhaugwitz.com
Thu Jan 20 16:18:00 EET 2022 

Summary
=======

David Bouman discovered a heap-based buffer overflow vulnerability in base64
functions of AIDE, an advanced intrusion detection system. An attacker could
crash the program and possibly execute arbitrary code through large (<16k)
extended file attributes or ACL. A local user might exploit this flaw for root
privilege escalation.

Project
=======

AIDE (https://aide.github.io)

Affected versions
=================

AIDE >= 0.13, <= 0.17.3

CVE ID
======

CVE-2021-45417

Proof of concept
================

To take advantage of the flaw the user needs write access to a mounted file
system that supports large enough extended attributes (e.g. XFS) or ACL (e.g.
tmpfs).

AIDE needs to be compiled with --with-xattr or --with-posix-acl configure flag
(this is the case for most distributions).

# extended attributes on XFS filesystem

    $ touch user-file; xattr -w user.comment "$(for i in {1..40000} ; do printf '%c' A ; done)" user-file
    # aide --config=/dev/null --after "$(pwd)/user-file xattrs" --after "database_out=file:/dev/null" --init

# ACL on tmpfs file system

    $ touch user-file; for i in {1000..2000} ; do setfacl -m u:${i}:r user-file ; done
    # aide --config=/dev/null --after "$(pwd)/user-file acl" --after "database_out=file:/dev/null" --init

Analysis
========

The vulnerability is caused by a fixed buffer size (16384 in
src/base64.h[base.h]) in the encode_base64/decode_base64 functions[base64.c].
Initially this was safe as the base64 functions were only used for
encoding/decoding of the calculated hashsums. However since the addition of
extended file attribute and ACL support in AIDE 0.13 encode_base64 is also used
for encoding xattr and ACL values before writing them to the database.

This allows a user to create a file with a large extended attribute value or
large ACL causing aide (ussaly triggered by cron as root) to segfault.

The issue is fixed by precalculating the size of the return buffer depending on
the input in the encode_base64/decode_base64 functions.

[base64.h] https://github.com/aide/aide/blob/v0.17.3/include/base64.h#L38
[base64.c] https://github.com/aide/aide/blob/v0.17.3/src/base64.c

Mitigation
==========

Upgrade to AIDE v0.17.4 (only containing the fix for this issue) [v0.17.4]

Alternatively apply one of the provided patches:

aide-0.17-cve-2021-45417.patch: patch for 0.17.x
aide-0.16-cve-2021-45417.patch: patch for 0.16.x (backported for Debian oldstable)

Though not tested the patch for 0.16.x might also apply for earlier releases < 0.16.

If you cannot upgrade, consider removing `acl` and `xattrs` groups from rules
matching files on affected file systems.

[v0.17.4] https://github.com/aide/aide/releases/tag/v0.17.4

Credit
======

The issue was reported by David Bouman.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aide-0.16-cve-2021-45417.patch
Type: text/x-diff
Size: 3034 bytes
Desc: not available
URL: <http://www.ipi.fi/pipermail/aide/attachments/20220120/7482ce11/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aide-0.17-cve-2021-45417.patch
Type: text/x-diff
Size: 3163 bytes
Desc: not available
URL: <http://www.ipi.fi/pipermail/aide/attachments/20220120/7482ce11/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://www.ipi.fi/pipermail/aide/attachments/20220120/7482ce11/attachment.sig>

More information about the Aide mailing list