A security issue was found on the SecureDrop server environment during an internal code audit. SecureDrop 2.5.1 has been released to fix this issue; SecureDrops should automatically update within 24 hours. The vulnerability was not exploitable remotely and requires an attacker to already have code execution on the server.
The core issue was incorrect ownership of executable Python code in
/var/www/securedrop. As the folder was owned by the web application user,
www-data, it was possible to edit the management script (
manage.py) or any of its dependencies and trigger code execution by root via multiple vectors.
We have fixed the main permission issue by changing all executable files to be only writable by root, as well as de-privileging any command that does not require root permissions in the first place. Now
www-data can no longer modify executable files, Python bytecode or the instance configuration. The cronjobs are now triggered from the
www-data private crontab. In the OSSEC monitoring rules and the
securedrop-app-code package postinstall script, every command that does not need elevated privileges is prefixed with
sudo -u www-data, with specific attention paid to any read or write operation potentially vulnerable to symlink attacks.
SecureDrop attempts to bring defense in depth on its server configuration, by employing hardening measures such as strict AppArmor profiles for Internet-facing services and a grsecurity-hardened kernel. We discovered the vulnerability as part of an internal round of hardening, in which we are actively reviewing system configurations to add further defence in the event of an attacker achieving unprivileged local code execution.
The vulnerability has a score of High according to CVSSv3:
However, in order to exploit it, as the A(ttack) V(ector) is defined as L(ocal), code execution is a strict requirement. As such, the vulnerability is a local privilege escalation only.
Researchers may submit any security vulnerability either through our bug bounty program, or via encrypted email to firstname.lastname@example.org (public key, fingerprint: 734F 6E70 7434 ECA6 C007 E1AE 82BD 6C96 16DA BB79).