Welcome to the spring edition of our spotlight series. Spring time kept us busy with a couple of major security publications. With this post we want to take some time to discuss some of our other review efforts during the last three months that would otherwise not get much attention.| SUSE Security Team Blog
sslh is a protocol demultiplexer that allows to provide different types of services on the same network port. During a routine review we identified two remote Denial-of-Service vulnerabilities and a number of non-security issues.| SUSE Security Team Blog
Open Source vulnerability reports and code review results.| SUSE Security Team Blog
OpenSUSE Tumbleweed switched to using SELinux by default. The change was causing problems when playing emulated Windows Games through Proton or Wine. This post looks at the requirements for a fix and how a transparent solution was implemented.| SUSE Security Team Blog
Kea is the next generation DHCP server suite offered by the Internet Systems Consortium (ISC). During a routine review we found a local root exploit and a number of further local vulnerabilities in its REST API, affecting Kea packages found in many Linux and BSD distributions.| SUSE Security Team Blog
The pcp performance analysis toolkit operates as root in directories controlled by the pcp service user, which allows to escalate privileges from pcp user to root.| SUSE Security Team Blog
Screen is the traditional terminal multiplexer software used on Linux and Unix systems. We found a local root exploit in Screen 5.0.0 affecting Arch Linux and NetBSD, as well as a couple of other issues that partly also affect older Screen versions, which are still found in the majority of distributions.| SUSE Security Team Blog
At the beginning of this year we noticed that the Deepin Desktop as it is currently packaged in openSUSE relies on a packaging policy violation to bypass SUSE security team review restrictions. With a long history of code reviews for Deepin components dating back to 2017, this marks a turning point for us that leads to the removal of the Deepin Desktop from openSUSE for the time being.| SUSE Security Team Blog
The nvidia-modprobe utility, a setuid-root helper for the proprietary Nvidia GPU display driver, contained an information disclosure vulnerability in versions prior to 550.144.03. Unprivileged users were able to determine the existence of arbitrary files on the system via the wait3() system call.| SUSE Security Team Blog
Welcome to the winter edition of our spotlight series. A busy winter time has come to an end, and as usual in this post we give you an insight into some of our review efforts during that time that would otherwise not get much attention.| SUSE Security Team Blog
Below is a tool for recording and displaying system data like hardware utilization and cgroup information. In Below versions up to and including version v0.8.1 a world writable log directory is created, which can lead to a local root exploit and other security issues.| SUSE Security Team Blog
kio-admin is a KDE component which allows to perform privileged file operations in GUI applications. A first request to add this package to openSUSE had been rejected by the SUSE security team in 2022. After careful reevaluation of the situation, this is about to change. This post explores the background of this development.| SUSE Security Team Blog
This PAM module allows to use smart cards as an authentication factor on Linux. In its 0.6.12 release the use of PAM_IGNORE return values introduced a regression that can lead to complete authentication bypass in some scenarios.| SUSE Security Team Blog
dde-api-proxy is a component of the Deepin desktop environment that provides backward compatibility for legacy D-Bus service and interface names. We discovered a major authentication flaw in the design of this D-Bus proxy component.| SUSE Security Team Blog
pam-u2f allows to use U2F (Universal 2nd Factor) devices like YubiKeys in the PAM authentication stack. Improper use of PAM_IGNORE return values in the module implementation could allow bypass of the second factor or password-less login without inserting the proper device.| SUSE Security Team Blog
SSSD (System Security Services Daemon) is a suite of daemons dealing with user authentication based on mechanisms like LDAP, Kerberos and FreeIPA. We found privilege escalation paths in a number of helper binaries running with raised Linux capabilities, when privilege separation is enabled.| SUSE Security Team Blog
This is the second edition of our new spotlight series. Autumn is always a busy time at SUSE, when new service packs and products are prepared. This results also in an increased amount of review requests arriving for the SUSE security team. This post features a mixture of D-Bus interfaces, Polkit authentication, temporary file handling issues, a small PAM module and setgid-binary, Varlink IPC in systemd as well as some other topics.| SUSE Security Team Blog
Stalld is a daemon to prevent starvation of operating system threads on Linux. We discovered a problematic use of a fixed temporary file and other issues in the project, but upstream did not respond to our findings.| SUSE Security Team Blog
Authentik is a popular open source identity provider that can be self-hosted. While investigating the overall security of the project we discovered a remote timing attack weakness in the code. We also looked at the big picture of security in Authentik.| SUSE Security Team Blog
In tuned version 2.23 new D-Bus methods have been added to its privileged daemon. We identified a couple of issues, including a local root exploit, in the additions.| SUSE Security Team Blog
oath-toolkit contains libraries and utilities for managing one-time password (OTP) authentication e.g. as a second factor to password authentication. Its pam_oath.so PAM module performs unsafe operations in directories potentially controlled by unprivileged users, leading to possible privilege escalation.| SUSE Security Team Blog
Performance Co-Pilot (PCP) is a system for collecting system performance data and sharing it over the network. We performed a review of its main networking daemon component pmcd, which resulted in the finding of two CVEs and a couple of other noticeable aspects.| SUSE Security Team Blog
Although there have been no major security findings in recent months, the SUSE security team has not been inactive. We revisited a couple of packages like Deepin desktop D-Bus services and the Croc file sharing tool, we finalized leftover KDE6 topics, checked up on our openSSH downstream patches, reviewed an age old Emacs setuid binary and looked into an OpenVPN kernel module.| SUSE Security Team Blog
A newly added D-Bus system service for gnome-remote-desktop release 46 exposes the remote desktop private SSL certificate to other local users.| SUSE Security Team Blog
This report deals with HTTP basic auth issues in the darkhttpd project. Darkhttpd is a minimal HTTP web server implemented in the C programming language, for serving static files.| SUSE Security Team Blog
In the context of the KDE desktop version 6 major release we looked into a series of D-Bus services using Polkit for authentication. This led to a couple of interesting findings and insights.| SUSE Security Team Blog