All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1.
Any user who produces setuid programs with OCaml should read the CVE
and upgrade immediately.
and
CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables
The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and
CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled
executable or any ocamlc-compiled executable in ‘custom runtime mode’.
This can lead to privilege escalation if the executable is marked setuid.
Vulnerable versions: OCaml 4.04.0 and 4.04.1
Workarounds:
Upgrade to OCaml 4.04.2 or higher.
or - Compile the OCaml distribution with the “-no-cplugins” configure option.
or - OPAM users can “opam update && opam switch recompile 4.04.1”, as
the repository has had backported patches applied.
Impact: This only affects binaries that have been installed on Unix-like
operating systems (including Linux and macOS) with the setuid bit set.
However, in that situation, any user who execute the program gains all
the privileges of the owner of the executable (meaning that root-owned
setuid executables provide root access).
Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv
to raise an exception if the process has ever had elevated privileges.
The OCaml runtime has also been modified to use this function for
retrieving all of the runtime environment variables which could potentially
cause files to be accessed or modified. The older behaviour is available
in Sys.unsafe_getenv for applications that require strict compatibility.
See the full original post for credits and details.
thanks for posting this @antron. Would you mind editing the body of the post here to include the full body of the CVE text? It contains important information about the vulnerability. I have taken the liberty of editing the title to reflect the specific nature of the security flaw in the meanwhile.
Thanks, I’ve done so. I’m not sure what the right thing to do here is. You’re welcome to edit the post further if you think more of the message should be included, or I can do it on demand.
There also seems to be a bit of a discussion brewing about the wisdom of the CPLUGINS environment variable. From Alexey Egorov:
Why the CPLUGINS feature is enabled by default AND completely undocumented?
Loading code to my app based on some unknown environment variable by_default already seems like a vulnerability to me.
Thanks! Generally when posting about security issues, including non-snipped details is encouraged. The CVE contains details about impact, workarounds and affected versions that provides important context. Most users are thankfully not affected by this issue as it only impacts suid binaries.
There also seems to be a bit of a discussion brewing about the wisdom of the CPLUGINS environment variable.
If I can make a meta-comment, I think that the security issue stings and burns for everyone that was even remotely involved in the process (or didn’t get involved and now wonder if they should feel responsible for not looking and not noticing the issue), and I’m not sure that starting a discussion on (rather obvious, and already previously raised) reservations about the feature is a great move. It is easy to be a bit too snarky with hindsight.
(Of course it shall be important and interesting to start a conversation on having processes in place to avoid such issues in the future, and in fact I’m going to do just that.)
I highlighted the CPLUGINS note because I was not aware of this environment variable until I Alexey Egorov posted it, and I believe a number of other people on Discourse would be interested to know that it exists. It has nothing to do with snark, though I can’t speak for anyone else that may have wanted to comment.
So, it wasn’t obvious. Perhaps it would be nice to get a link to where it was previously raised or otherwise discussed?