Cockpit 320
Cockpit is the modern Linux admin interface. We release regularly.
Here are the release notes from Cockpit 320:
pam-ssh-add: Fix insecure killing of session ssh-agent [CVE-2024-6126]
Affected systems
- Debian, Ubuntu, and other Debian-derived distributions: These distributions enable the deprecated
user_readenv
option by default in thepam_env
PAM module. - Fedora, CentOS, RHEL, Arch, OpenSUSE: Not affected by default. Only systems where the
user_readenv
option has been manually enabled. - Other Linux distributions: Check
grep -r user_readenv /etc/pam.d
. If there is no output, you are not affected. Otherwise check if the “cockpit” PAM module directly or indirectly uses that option.
This is tracked as CVE-2024-6126.
Impact
Cockpit’s pam_ssh_add
module had a vulnerability when user_readenv
is enabled on the system, as it inherits the settings from the system in /etc/pam.d/cockpit
.
This could cause a Denial of Service if a locally-authenticated user could craft a ~/.pam_environment
file which would kill an arbitrary process on the system with root privileges when logging out of a Cockpit session.
Fix
- Upgrade to Cockpit version 320 to fix this issue.
- For older Cockpit versions, a backportable patch is available.
Workaround
If you cannot upgrade to Cockpit 320 or use the patch linked above, and may have potentially malicious local users on a system running Cockpit, you can mitigate this vulnerability:
- Remove the
user_readenv=1
option from thepam_env.so
line in/etc/pam.d/cockpit
.
This will disable reading any extra environment variables in user’s ~/.pam_environment
files, which is most commonly used to set a local environment different from the system default.
Acknowledgments
Many thanks to Paolo Perego for discovering, and Luna Dragon for reporting this issue!
Try it out
Cockpit 320 is available now: