Gerbera Privilege Escalation Vulnerability in openSUSE Tumbleweed

A vulnerability allowing privilege escalation from the gerbera service user to root has been identified in the openSUSE Tumbleweed package gerbera, prior to version 2.5.0-1.1. The issue arises from incorrect default permissions that allow the gerbera user to manipulate files in the /etc/gerbera directory while the root user is performing package management tasks, creating a window of opportunity for unauthorized access to root privileges.

Impact

Exploitation of this vulnerability allows the gerbera user to gain root access, potentially leading to unauthorized system modifications or control.

Reproduction

The vulnerability can be reproduced by forcing a reinstallation of the gerbera package as the root user. During the installation, the gerbera service user can create a symbolic link in the /etc/gerbera directory that points to a file in the root user's home directory. Once the link is established, the gerbera user can wait for the root user to initiate the %post installation script, which processes the gerbera configuration files. When this happens, the linked file will be overwritten with a command that, when executed, creates a file in the root directory, effectively demonstrating unauthorized root access.

Remediation

The ownership of the /etc/gerbera directory and its files should be changed to root. Alternatively, if the %post script is necessary, the directory can be temporarily owned by root during the script execution and then returned to the gerbera user afterwards.