Apache Trafic Server (ATS) do not check return value of initgroups() function, leading to potential privilege escalations.
Timeline
- 26/09/2024: Apache Trafic Server security team contacted and patch submitted
- 01/10/2024: ATS security team first response
- 13/09/2024: Patch release announce and CVE-2024-50306 published
Affected versions
- ATS 9.0.0 to 9.2.5
- ATS 10.0.0 to 10.0.1
Issue
The initgroups() function allow to change supplementary groups of a process. It is used when privileges are dropped to also drop membership to any privileged group the process' user is part of.
Failing to check its return value can make a process believe it did drop these memberships but indeed did not if the call failed. That was the case inside ATS' code in file src/tscore/ink_cap.cc:
// Always repopulate the supplementary group list for the new user.
initgroups(pwd->pw_name, pwd->pw_gid);
This has been fixed in ATS 9.2.6 and 10.0.2:
https://github.com/apache/trafficserver/commit/ae638096e259121d92d46a9f57026a5ff5bc328b
The decision is to abort execution if the call fails.
Thanks to Masakazu Kitajo from the Apache team for his review.