Leeloo Multipath: Authorization bypass and symlink attack in multipathd (CVE-2022-41974 and CVE-2022-41973)

Bharat Jogi

Last updated on: November 16, 2022

The Qualys Research Team has discovered two vulnerabilities in multipathd, the most important of which can be exploited for authorization bypass. Qualys recommends security teams apply patches for these vulnerabilities as soon as possible.

The Qualys Research Team combined these two vulnerabilities with the third vulnerability in another package installed by default on Ubuntu Server and obtained full root privileges on Ubuntu Server 22.04; other releases are probably also exploitable. We will publish this third vulnerability, and the complete details of this local privilege escalation, in an upcoming advisory next month.

About multipathd

The multipathd daemon oversees checking for failed paths. When this happens, it will reconfigure the multipath map the path belongs to so that this map regains its maximum performance and redundancy. The multipathd daemon runs as a root in the default installation of  Linux Operating Systems like Ubuntu Server.

Potential Impact of Leeloo Multipath

Successful exploitation of the three vulnerabilities allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have independently verified the vulnerability, developed an exploit and obtained full root privileges on default installations of Ubuntu.

As soon as the Qualys Research Team confirmed the vulnerability, we engaged in responsible vulnerability disclosure and coordinated with vendors and open-source distributions to announce this newly discovered vulnerability.

Technical Details of Leeloo Multipath

The technical details of Leeloo Multipath vulnerabilities can be found at:

https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt

Disclosure Timeline:

  • 2022-08-24: Advisory sent to security@suse
  • 2022-10-10: Advisory and patches sent to linux-distros@openwall
  • 2022-10-24: Coordinated Release Date (15:00 UTC)

Qualys QID Coverage

Qualys is releasing the QIDs in the table below as they become available, starting with vulnsigs version VULNSIGS-2.5.615-2 and in Linux Cloud Agent manifest version lx_manifest-2.5.615.2-1

QIDTitle
752706 SUSE Enterprise Linux Security Update for multipath-tools (SUSE-SU-2022:3711-1)
752707 SUSE Enterprise Linux Security Update for multipath-tools (SUSE-SU-2022:3710-1)
752709 SUSE Enterprise Linux Security Update for multipath-tools (SUSE-SU-2022:3709-1)
752711 SUSE Enterprise Linux Security Update for multipath-tools (SUSE-SU-2022:3708-1)
752703 SUSE Enterprise Linux Security Update for multipath-tools (SUSE-SU-2022:3707-1)
752704 SUSE Enterprise Linux Security Update for multipath-tools (SUSE-SU-2022:3713-1)
752705 SUSE Enterprise Linux Security Update for multipath-tools (SUSE-SU-2022:3712-1)
752706 SUSE Enterprise Linux Security Update for multipath-tools (SUSE-SU-2022:3711-1)
752707 SUSE Enterprise Linux Security Update for multipath-tools (SUSE-SU-2022:3710-1)
752709 SUSE Enterprise Linux Security Update for multipath-tools (SUSE-SU-2022:3709-1)
160167 Oracle Enterprise Linux Security Update for device-mapper-multipath (ELSA-2022-7186)
752711 SUSE Enterprise Linux Security Update for multipath-tools (SUSE-SU-2022:3708-1)
752703 SUSE Enterprise Linux Security Update for multipath-tools (SUSE-SU-2022:3707-1)
240785 Red Hat Update for device-mapper-multipath (RHSA-2022:7186)
240788 Red Hat Update for device-mapper-multipath (RHSA-2022:7185)
240789 Red Hat Update for device-mapper-multipath (RHSA-2022:7188)
240790 Red Hat Update for device-mapper-multipath (RHSA-2022:7192)

Please check Qualys Vulnerability Knowledgebase for the full list of coverage for these vulnerabilities.

Discover Vulnerable Linux Servers Using Qualys VMDR

The following instructs current Qualys customers on how to detect Leeloo Multipath in their environment.

Identify Assets Running Ubuntu Operating System

The first step in managing this critical vulnerability and reducing risk is identification of all assets running Linux OS. Qualys VMDR makes it easy to identify such assets.

operatingSystem.name:”Linux”

Once the hosts are identified, they can be grouped together with a ‘dynamic tag’; let’s say: “Linux Systems”. This helps by automatically grouping existing hosts with the above vulnerabilities as well as any new assets that spin up in your environment. Tagging makes these grouped assets available for querying, reporting, and management throughout Qualys Cloud Platform.

Prioritize Based on RTIs

Using Qualys VMDR, the Leeloo Multipath vulnerability can be prioritized using the following real-time threat indicators (RTIs):

  • Predicted_High_Risk
  • Privilege_Escalation
  • Easy_Exploit
  • High_Lateral_Movement

Patch With Qualys VMDR

We expect vendors to release patches for this vulnerability in the short term. Qualys Patch Management can be used to deploy those patches to vulnerable assets, when available.

Using the same prioritization based on RTI method as described above, customers can use the “patch now” button found to the right of the vulnerability to add Leeloo Multipath to a patch job. Once patches are released, Qualys will find the relevant patches for this vulnerability and automatically add those patches to a patch job. This will allow customers to deploy those patches to vulnerable devices, all from Qualys Cloud Platform.

Gain exposure visibility and remediation tracking with Unified Dashboard

With the Qualys Unified Dashboard, you can track the vulnerability exposure within your organization and view your impacted hosts, their status, distribution across environments and overall management in real-time, allowing you to see your MTTR.  “Leeloo Multipath” Dashboard.

View and download the “Leeloo Multipath” dashboard

Vendor References 

https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt

Frequently Asked Questions (FAQs) 

Will the Qualys Research Team publish exploit code for this vulnerability?  

No. Not at this time. 

Are there any mitigations for this vulnerability? 

No. 

Is this vulnerability remotely exploitable? 

No. But if an attacker can log in as an unprivileged user, the vulnerability can be quickly exploited to gain root privileges.  

Why is the vulnerability named “Leeloo Multipath”? 

This is a pun/reference to “Leeloo Multipass” (which is actually related to authentication and authorization) from the movie “The Fifth Element”. 

https://en.wikipedia.org/wiki/The_Fifth_Element

What is the maximum impact of these vulnerabilities? 

An attacker who has unprivileged access to an unpatched Linux system can exploit these vulnerabilities to obtain full root privileges; i.e., this is a Local Privilege Escalation to administrator privileges. 

What can an attacker do with these vulnerabilities? 

The first vulnerability is an authorization bypass (CVE-2022-41974) that allows an unprivileged attacker to trigger the second vulnerability, a symlink attack (CVE-2022-41973). This allows the attacker to create files and directories in arbitrary places of the filesystem. 

How would an attacker exploit these vulnerabilities? 

To the best of our knowledge, these two vulnerabilities are not powerful enough to lead to full root privileges on their own. However, we were able to combine them with a third vulnerability that we discovered in another package, and obtained full root privileges on Ubuntu Server. 

 We will publish this third vulnerability, and hence this complete exploit chain (of these three otherwise unexploitable vulnerabilities), in an upcoming advisory. 

Should organizations patch these vulnerabilities urgently? 

No, not urgently, since this is a Local Privilege Escalation that (to the best of our knowledge) requires an additional vulnerability to be successfully exploited. Nonetheless, since this additional vulnerability will become public in a few weeks, the multipathd vulnerabilities should be patched as part of a normal patch management life cycle. 

Are there any mitigations that organizations can apply for these vulnerabilities in case they are not able to patch? 

To the best of our knowledge, no. 

Do these vulnerabilities affect only SuSE Operating System? If no, why was disclosed to the SUSE Security Team? 

These vulnerabilities affect all Linux distributions; multipathd is a common Linux daemon, especially on servers. For example, our complete exploit chain targets the default installation of Ubuntu Server. We contacted the SUSE Security Team because one of multipathd’s most active developers works for SUSE, so they were able to put us in direct contact with him, via encrypted email. 

Contributors:

  • Felix Jimenez Director of Product Management
  • Saeed Abbasi Manager, Vulnerability Signatures
Share your Comments

Comments

Your email address will not be published.