Linux specific local privilege escalation via the multiprocessing forkserver start method - CVE-2022-42919 #97514
Assignees
Labels
3.9
3.10
3.11
3.12
release-blocker
stdlib
Python modules in the Lib dir
type-bug
An unexpected behavior, bug, or error
type-security
A security issue
Comments
gpshead
added a commit
to gpshead/cpython
that referenced
this issue
Oct 20, 2022
Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via python#18866 while fixing python#84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches.
Yhg1s
pushed a commit
that referenced
this issue
Oct 20, 2022
Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via #18866 while fixing #84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches.
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Oct 20, 2022
…ythonGH-98501) Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via python#18866 while fixing python#84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches. (cherry picked from commit 49f6106) Co-authored-by: Gregory P. Smith <greg@krypto.org>
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Oct 20, 2022
…ythonGH-98501) Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via python#18866 while fixing python#84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches. (cherry picked from commit 49f6106) Co-authored-by: Gregory P. Smith <greg@krypto.org>
This was referenced Oct 20, 2022
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Oct 20, 2022
…ythonGH-98501) Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via python#18866 while fixing python#84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches. (cherry picked from commit 49f6106) Co-authored-by: Gregory P. Smith <greg@krypto.org>
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Oct 20, 2022
…ythonGH-98501) Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via python#18866 while fixing python#84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches. (cherry picked from commit 49f6106) Co-authored-by: Gregory P. Smith <greg@krypto.org>
miss-islington
added a commit
that referenced
this issue
Oct 20, 2022
…GH-98501) (GH-98502) Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via #18866 while fixing #84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches. (cherry picked from commit 49f6106) Co-authored-by: Gregory P. Smith <greg@krypto.org> Automerge-Triggered-By: GH:gpshead
miss-islington
added a commit
that referenced
this issue
Oct 20, 2022
…GH-98501) (GH-98503) Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via #18866 while fixing #84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches. (cherry picked from commit 49f6106) Co-authored-by: Gregory P. Smith <greg@krypto.org> Automerge-Triggered-By: GH:gpshead
pablogsal
pushed a commit
that referenced
this issue
Oct 22, 2022
…GH-98501) (GH-98502) Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via #18866 while fixing #84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches. (cherry picked from commit 49f6106) Co-authored-by: Gregory P. Smith <greg@krypto.org> Automerge-Triggered-By: GH:gpshead
ambv
pushed a commit
that referenced
this issue
Oct 28, 2022
…H-98501) (#98504) Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via #18866 while fixing #84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches. (cherry picked from commit 49f6106) Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
I created https://python-security.readthedocs.io/vuln/multiprocessing-abstract-socket.html to track this vulnerability. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
gpshead commentedSep 23, 2022
•
edited
TL;DR
Python 3.9, 3.10, and 3.11.0rc2 on Linux may allow for a local privilege escalation attack in a non-default configuration when code uses the
multiprocessingmodule and configuresmultiprocessingto use the forkserver start method.Details
The Python
multiprocessinglibrary, when used with the forkserver start method on Linux, allows Python pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any Python multiprocessing forkserver process is running as.The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets.
CPython before 3.9 does not make use of Linux abstract namespace sockets by default.
This issue has been assigned CVE-2022-42919.
Credit: This issue was discovered by Devin Jeanpierre (@ssbr) of Google.
Are Python 3.7 and 3.8 affected?
Not by default.
Support for users manually specifying an abstract namespace AF_UNIX socket was added as a bugfix in 3.7.8 and 3.8.4, but users would need to make specific uncommon
multiprocessingAPI calls specifying their own forkserver control socket path in order to do that in CPython before 3.9.What about code that explicitly asks for an abstract socket?
Applications found to be making the uncommon
multiprocessingAPI calls to explicitly use Linux abstract namespace sockets with a forkserver are believed to be rare and should have their own specific security issues filed.Workarounds
From Python application or library code:
This disables their use by default. You must execute that before anything else in your process has started making use of multiprocessing.
If you can patch your CPython runtime itself:
Remove these two lines from CPython's
Lib/multiprocessing/connection.py:(that is what our security bug fix commits do).
Or, similar to the application level fix, edit
Lib/multiprocessing/util.pyto always set:Alternatives to avoid the problem
If your Linux Python application can be switched from multiprocessing's
.set_start_method("forkserver")to a start method such as"spawn"that will also avoid this issue.Scope of the bug fixes
We are changing the default in Python 3.9 and higher to not use the Linux abstract namespace sockets by default.
It would be ideal to add authentication to the forkserver control socket so that it isn't even relying on filesystem permissions. This is a more complicated change and is expected to be done as a feature in 3.12.
Tasks
The text was updated successfully, but these errors were encountered: