ID CVE-2016-5410
Summary firewalld.py in firewalld before 0.4.3.3 allows local users to bypass authentication and modify firewall configurations via the (1) addPassthrough, (2) removePassthrough, (3) addEntry, (4) removeEntry, or (5) setEntries D-Bus API method.
References
Vulnerable Configurations
  • cpe:2.3:a:firewalld:firewalld:0.4.3.2
    cpe:2.3:a:firewalld:firewalld:0.4.3.2
  • RedHat Enterprise Linux HPC Node 7.0
    cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
CVSS
Base: 2.1 (as of 22-04-2017 - 15:10)
Impact:
Exploitability:
CWE CWE-287
CAPEC
  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-DE55D2C2C9.NASL
    description - Fix CVE-2016-5410: Firewall configuration can be modified by any logged in user - firewall/server/firewalld: Make getXSettings and getLogDenied CONFIG_INFO - Update AppData configuration file. - tests/firewalld_rich.py: Use new import structure and FirewallClient classes - tests/firewalld_direct.py: Use new import structure - tests: firewalld_direct: Fix assert to check for True instead of False - tests: firewalld_config: Fix expected value when querying the zone target - tests: firewalld_config: Use real nf_conntrack modules - firewalld.spec: Added comment about make call for %build - firewall-config: Use also width_request and height_request with default size - Updated firewall-config screenshot - firewall-cmd: Fixed typo in help output (RHBZ#1367171) - test-suite: Ignore stderr to get default zone also for missing firewalld.conf - firewall.core.logger: Warnings should be printed to stderr per default - firewall.core.fw_nm: Ignore NetworkManager if NM.Client connect fails - firewall-cmd, firewallctl: Gracefully fail if SystemBus can not be aquired - firewall.client: Generate new DBUS_ERROR if SystemBus can not be aquired - test-suite: Do not fail on ALREADY_ENABLED --add-destination tests - firewall.command: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings - doc/xml/firewalld.dbus.xml: Removed undefined reference - doc/xml/transform-html.xsl.in: Fixed references in the document - doc/xml/firewalld.{dbus,zone}.xml: Embed programlisting in para - doc/xml/transform-html.xsl.in: Enhanced html formatting closer to the man page - firewall: core: fw_nm: Instantiate the NM client only once - firewall/core/io/*.py: Do not traceback on a general sax parsing issue - firewall-offline-cmd: Fix --{add,remove}-entries-from-file - firewall-cmd: Add missing action to fix --{add,remove}-entries-from-file - firewall.core.prog: Do not output stderr, but return it in the error case - firewall.core.io.ifcfg.py: Fix ifcfg file reader and writer (RHBZ#1362171) - config/firewall.service.in: use KillMode=mixed - config/firewalld.service.in: use network-pre.target - firewall-config: Add missing gettext.textdomain call to fix translations - Add UDP to transmission-client.xml service - tests/firewall-[offline-]cmd_test.sh: Hide errors and warnings - firewall.client: Fix ALREADY_ENABLED errors in icmptype destination calls - firewall.client: Fix NOT_ENABLED errors in icmptype destination calls - firewall.client: Use {ALREADY,NOT}_ENABLED errors in icmptype destination calls - firewall.command: Add the removed FirewallError handling to the action (a17ce50) - firewall.command: Do not use query methods for sequences and also single options - Add missing information about MAC and ipset sources to man pages and help output - firewalld.spec: Add BuildRequires for libxslt to enable rebuild of man pages - firewall[-offline]-cmd, firewallctl, firewall.command: Use sys.{stdout,stderr} - firewallctl: Fix traceback if not connected to firewalld - firewall-config: Initialize value in on_richRuleDialogElementChooser_clicked - firewall.command: Convert errors to string for Python3 - firewall.command: Get proper firewall error code from D-BusExceptions - firewall-cmd: Fixed traceback without args - Add missing service files to Makefile.am - shell-completion: Add shell completion support for --{get,set}--{description,short} Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 93060
    published 2016-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93060
    title Fedora 24 : firewalld (2016-de55d2c2c9)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2597.NASL
    description An update for firewalld is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. firewalld is a firewall service daemon that provides a dynamic customizable firewall with a D-Bus interface. The following packages have been upgraded to a newer upstream version: firewalld (0.4.3.2). (BZ#1302802) Security Fix(es) : * A flaw was found in the way firewalld allowed certain firewall configurations to be modified by unauthenticated users. Any locally logged in user could use this flaw to tamper or change firewall settings. (CVE-2016-5410) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 94560
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94560
    title RHEL 7 : firewalld (RHSA-2016:2597)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2597.NASL
    description From Red Hat Security Advisory 2016:2597 : An update for firewalld is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. firewalld is a firewall service daemon that provides a dynamic customizable firewall with a D-Bus interface. The following packages have been upgraded to a newer upstream version: firewalld (0.4.3.2). (BZ#1302802) Security Fix(es) : * A flaw was found in the way firewalld allowed certain firewall configurations to be modified by unauthenticated users. Any locally logged in user could use this flaw to tamper or change firewall settings. (CVE-2016-5410) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 94716
    published 2016-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94716
    title Oracle Linux 7 : firewalld (ELSA-2016-2597)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-4DEDC6EC3D.NASL
    description - Fix CVE-2016-5410: Firewall configuration can be modified by any logged in user - firewall/server/firewalld: Make getXSettings and getLogDenied CONFIG_INFO - Update AppData configuration file. - tests/firewalld_rich.py: Use new import structure and FirewallClient classes - tests/firewalld_direct.py: Use new import structure - tests: firewalld_direct: Fix assert to check for True instead of False - tests: firewalld_config: Fix expected value when querying the zone target - tests: firewalld_config: Use real nf_conntrack modules - firewalld.spec: Added comment about make call for %build - firewall-config: Use also width_request and height_request with default size - Updated firewall-config screenshot - firewall-cmd: Fixed typo in help output (RHBZ#1367171) - test-suite: Ignore stderr to get default zone also for missing firewalld.conf - firewall.core.logger: Warnings should be printed to stderr per default - firewall.core.fw_nm: Ignore NetworkManager if NM.Client connect fails - firewall-cmd, firewallctl: Gracefully fail if SystemBus can not be aquired - firewall.client: Generate new DBUS_ERROR if SystemBus can not be aquired - test-suite: Do not fail on ALREADY_ENABLED --add-destination tests - firewall.command: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings - doc/xml/firewalld.dbus.xml: Removed undefined reference - doc/xml/transform-html.xsl.in: Fixed references in the document - doc/xml/firewalld.{dbus,zone}.xml: Embed programlisting in para - doc/xml/transform-html.xsl.in: Enhanced html formatting closer to the man page - firewall: core: fw_nm: Instantiate the NM client only once - firewall/core/io/*.py: Do not traceback on a general sax parsing issue - firewall-offline-cmd: Fix --{add,remove}-entries-from-file - firewall-cmd: Add missing action to fix --{add,remove}-entries-from-file - firewall.core.prog: Do not output stderr, but return it in the error case - firewall.core.io.ifcfg.py: Fix ifcfg file reader and writer (RHBZ#1362171) - config/firewall.service.in: use KillMode=mixed - config/firewalld.service.in: use network-pre.target - firewall-config: Add missing gettext.textdomain call to fix translations - Add UDP to transmission-client.xml service - tests/firewall-[offline-]cmd_test.sh: Hide errors and warnings - firewall.client: Fix ALREADY_ENABLED errors in icmptype destination calls - firewall.client: Fix NOT_ENABLED errors in icmptype destination calls - firewall.client: Use {ALREADY,NOT}_ENABLED errors in icmptype destination calls - firewall.command: Add the removed FirewallError handling to the action (a17ce50) - firewall.command: Do not use query methods for sequences and also single options - Add missing information about MAC and ipset sources to man pages and help output - firewalld.spec: Add BuildRequires for libxslt to enable rebuild of man pages - firewall[-offline]-cmd, firewallctl, firewall.command: Use sys.{stdout,stderr} - firewallctl: Fix traceback if not connected to firewalld - firewall-config: Initialize value in on_richRuleDialogElementChooser_clicked - firewall.command: Convert errors to string for Python3 - firewall.command: Get proper firewall error code from D-BusExceptions - firewall-cmd: Fixed traceback without args - Add missing service files to Makefile.am - shell-completion: Add shell completion support for --{get,set}--{description,short} Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 94803
    published 2016-11-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94803
    title Fedora 25 : firewalld (2016-4dedc6ec3d)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2597.NASL
    description An update for firewalld is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. firewalld is a firewall service daemon that provides a dynamic customizable firewall with a D-Bus interface. The following packages have been upgraded to a newer upstream version: firewalld (0.4.3.2). (BZ#1302802) Security Fix(es) : * A flaw was found in the way firewalld allowed certain firewall configurations to be modified by unauthenticated users. Any locally logged in user could use this flaw to tamper or change firewall settings. (CVE-2016-5410) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 95343
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95343
    title CentOS 7 : firewalld (CESA-2016:2597)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161103_FIREWALLD_ON_SL7_X.NASL
    description The following packages have been upgraded to a newer upstream version: firewalld (0.4.3.2). Security Fix(es) : - A flaw was found in the way firewalld allowed certain firewall configurations to be modified by unauthenticated users. Any locally logged in user could use this flaw to tamper or change firewall settings. (CVE-2016-5410) Additional Changes :
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 95837
    published 2016-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95837
    title Scientific Linux Security Update : firewalld on SL7.x (noarch)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-70.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-70 (Firewalld: Improper authentication methods) A flaw in Firewalld allows any locally logged in user to tamper with or change firewall settings. This is due to how Firewalld handles authentication via polkit which is not properly applied to 5 particular functions to include: addPassthrough, removePassthrough, addEntry, removeEntry, and setEntries. Impact : A local attacker could tamper or change firewall settings leading to the additional exposure of systems to include unauthorized remote access. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 96856
    published 2017-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96856
    title GLSA-201701-70 : Firewalld: Improper authentication methods
redhat via4
advisories
bugzilla
id 1374799
title exclude firewallctl from firewalld v0.4.3.2 update
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhba:tst:20150364001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhba:tst:20150364002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhba:tst:20150364003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20150364004
  • OR
    • AND
      • comment firewall-applet is earlier than 0:0.4.3.2-8.el7
        oval oval:com.redhat.rhsa:tst:20162597013
      • comment firewall-applet is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162597014
    • AND
      • comment firewall-config is earlier than 0:0.4.3.2-8.el7
        oval oval:com.redhat.rhsa:tst:20162597011
      • comment firewall-config is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162597012
    • AND
      • comment firewalld is earlier than 0:0.4.3.2-8.el7
        oval oval:com.redhat.rhsa:tst:20162597009
      • comment firewalld is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162597010
    • AND
      • comment firewalld-filesystem is earlier than 0:0.4.3.2-8.el7
        oval oval:com.redhat.rhsa:tst:20162597007
      • comment firewalld-filesystem is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162597008
    • AND
      • comment python-firewall is earlier than 0:0.4.3.2-8.el7
        oval oval:com.redhat.rhsa:tst:20162597005
      • comment python-firewall is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162597006
rhsa
id RHSA-2016:2597
released 2016-11-03
severity Moderate
title RHSA-2016:2597: firewalld security, bug fix, and enhancement update (Moderate)
rpms
  • firewall-applet-0:0.4.3.2-8.el7
  • firewall-config-0:0.4.3.2-8.el7
  • firewalld-0:0.4.3.2-8.el7
  • firewalld-filesystem-0:0.4.3.2-8.el7
  • python-firewall-0:0.4.3.2-8.el7
refmap via4
bid 92481
confirm
fedora
  • FEDORA-2016-4dedc6ec3d
  • FEDORA-2016-de55d2c2c9
gentoo GLSA-201701-70
mlist [oss-security] 20160816 firewalld: Firewall configuration can be modified by any logged in user
Last major update 25-04-2017 - 10:59
Published 19-04-2017 - 10:59
Back to Top