libblockdev Local Privilege Escalation Vulnerability via udisks

A local privilege escalation vulnerability has been identified in libblockdev, a library for managing block devices. This vulnerability allows an 'allow_active' user to escalate privileges to root by exploiting the udisks daemon. Typically, udisks mounts user-supplied filesystem images with security flags that prevent privilege escalation. However, an attacker can create a malicious XFS image with a SUID-root shell and manipulate udisks into resizing it. This process mounts the harmful filesystem with root privileges, enabling the execution of the SUID-root shell and full control over the system.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with an 'allow_active' user gaining root privileges on the system.

Reproduction

The vulnerability can be reproduced by an 'allow_active' user who creates a specially crafted XFS image containing a SUID-root shell. This user can then trick the udisks daemon into resizing the image, which mounts it with root privileges. Once the malicious filesystem is mounted, the SUID-root shell can be executed, leading to full control of the system.

Remediation

Users can upgrade to libblockdev version 2.25-2+deb11u1, which is available in the Debian 11 bullseye repository. Additionally, updated udisks2 packages are being released to ensure that private mounts are mounted with 'nodev,nosuid'.