Cockpit is the modern Linux admin interface. We release regularly.

Here are the release notes from Cockpit 320:

pam-ssh-add: Fix insecure killing of session ssh-agent [CVE-2024-6126]

Affected systems

• Debian, Ubuntu, and other Debian-derived distributions: These distributions enable the deprecated user_readenv option by default in the pam_env PAM module.
• Fedora, CentOS, RHEL, Arch, OpenSUSE: Not affected by default. Only systems where the user_readenv option has been manually enabled.
• Other Linux distributions: Check grep -r user_readenv /etc/pam.d. If there is no output, you are not affected. Otherwise check if the “cockpit” PAM module directly or indirectly uses that option.

This is tracked as CVE-2024-6126.

Impact

Cockpit’s pam_ssh_add module had a vulnerability when user_readenv is enabled on the system, as it inherits the settings from the system in /etc/pam.d/cockpit.

This could cause a Denial of Service if a locally-authenticated user could craft a ~/.pam_environment file which would kill an arbitrary process on the system with root privileges when logging out of a Cockpit session.

Fix

• Upgrade to Cockpit version 320 to fix this issue.
• For older Cockpit versions, a backportable patch is available.

Workaround

If you cannot upgrade to Cockpit 320 or use the patch linked above, and may have potentially malicious local users on a system running Cockpit, you can mitigate this vulnerability:

• Remove the user_readenv=1 option from the pam_env.so line in /etc/pam.d/cockpit.

This will disable reading any extra environment variables in user’s ~/.pam_environment files, which is most commonly used to set a local environment different from the system default.

Acknowledgments

Many thanks to Paolo Perego for discovering, and Luna Dragon for reporting this issue!

Try it out

Cockpit 320 is available now:

• For your Linux system

• Cockpit Client

• Cockpit Source Tarball
• Cockpit Fedora 40
• Cockpit Fedora 39