haveged Privilege Escalation Vulnerability via Command Socket

A privilege escalation vulnerability has been identified in haveged, the Linux entropy daemon, in all versions with command socket support (1.9.14 and later). The issue arises in the socket_handler function, which performs a credential check on the abstract UNIX socket for entropy commands. While the function correctly identifies non-root users and sends a negative acknowledgment, it fails to terminate the execution. This oversight allows unprivileged local users to execute privileged commands, such as MAGIC_CHROOT, by sending them through the socket to the root-running daemon.

Impact

Exploitation of this vulnerability allows local unprivileged users to execute privileged commands via the command socket, potentially leading to unauthorized actions being performed by the root user.

Reproduction

The vulnerability can be reproduced by connecting to the haveged command socket as a non-root user. The socket_handler function will acknowledge the connection but will not terminate the process, allowing the user to send commands that the daemon will execute with root privileges.

Remediation

Users can update to haveged version 1.9.21, which addresses this vulnerability by properly handling the UID check and preventing unauthorized command execution. Instructions for updating can be found in the SUSE Update Announcement.