SAP Business One Hana (Chef Cookbook) - Incorrect Permission Assignment for Critical Resources - Root Privilege Escalation Vulnerability
CVE-2021-27614
7.3
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
SICK-2021-028
SAP
SAP Business One Hana Chef Cookbooks
0.1.9 and below
8.82, 9.0, 9.1, 9.2, 9.3, 10.0
A vulnernability in the server setup ruby script for SAP Business One Hana Chef Cookbook versions 0.1.9 and below recursively assigns overpermissive folders for the installation folder as globally read/write. A local authenticated attacker, can read or write to any of the SAP Business One core installation files which are all owned by root. While an earlier command sets the sticky-bit to 0, a subsequent shell command recursively re-permissions all installation files as globally read/write, allowing a local authenticated attacker full access to the SAP Business One HANA installation system.
Vendor: SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One on SAP HANA, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application thereby highly impacting the integrity and availability of the application.
Vendor has fixed the vulnerability, published a patch, and deprecated the repository.
In the ruby installation setup script recipes/server.rb
An installation directory is created:
directory "#{v_installerlocalfolder}" do
owner "root"
group "root"
mode 0777
recursive true
not_if { ::File.exist?("#{v_installerlocalfolder}") }
endThe folder and files are subsequently re-permissioned with global read/write privileges.
bash 'set permissions of copied folder' do
cwd ::File.dirname("#{v_installerlocalfolder}")
code <<-EOH
chmod -R 777 .
EOH
only_if { ::File.exists?("#{v_installerlocalfolder}") }
endAnd again:
bash 'set permissions for extracted files' do
cwd ::File.dirname("#{v_installerlocalfolder}")
code <<-EOH
chmod -R 777 *
EOH
only_if { ::File.exists?("#{v_installerlocalfolder}") }
endOne such file is:
./getServerDbVersion.sh
This file is small:
templates/default/getServerDbVersion.sh.erb
s_serverversion="$(rpm -qa | grep B1ServerToolsSLD)"
s_dbversion=${s_serverversion:17:7}
s_dbversion=${s_dbversion/./}
echo "${s_dbversion}" >> SERVER_INSTALLED_"${s_dbversion}"However, the script is owned by root, and executed by root.
template "#{v_installerlocalfolder}/getServerDbVersion.sh" do
source "getServerDbVersion.sh.erb"
mode 0777
endAlthough the stick-bit is readable, an attacker can create /SERVER_INSTALLED_#{v_dbversion}" files inside the public directory, which may force the execution of a series of root privileged scripts.
Since this shell file is owned by root, there exists both a race condition whereby a lower privileged user can create ./getServerDbVersion.sh before root which would subsequently be executed by root.
execute "Validate B1 Server Install" do
cwd "#{v_installerlocalfolder}"
command "sh ./getServerDbVersion.sh"
not_if { ::File.exists?("#{v_installerlocalfolder}/SERVER_INSTALLED_#{v_dbversion}")}
end- 2021-04-12 - Researcher discover vulnerabilities
- 2021-04-15 - Vendor deprecates repository
- 2021-05-10 - Vendor assigns CVE-2021-27614
- 2021-05-11 - Vendor publishes advisory
- 2021-06-08 - Researcher publishes advisory
https://launchpad.support.sap.com/#/notes/3049661
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655
https://github.com/SAP/business-one-hana-chef-cookbook
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-028.md
https://sick.codes/sick-2021-028
Sick Codes: https://github.com/sickcodes || https://twitter.com/sickcodes
Miklos Zoltan: https://twitter.com/mzb4455 || https://www.privacyaffairs.com/authors/miklos/
https://sick.codes/sick-2021-028
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27614