Vendor: Garuda Linux
Vendor URL: https://garudalinux.org/ 
Versions affected: previous commit 29b03856
Systems Affected: Garuda Linux user creation panel 
Author: Jesus Olmos <jesus.olmos[at]fox-it[dot]com>
CVE Identifier: CVE-2021-3784
Risk: 4.4 - Local user impersonation in the moment of the user creation

Summary

Garuda is a modern Linux distribution based on Arch Linux with nice blur effects and icons. 

Garuda Linux performs an insecure user creation and authentication, that allows a local attacker  to impersonate a user account while it is being created. 

The user is created in two steps: 

  • First the user is created without password and without any account lock. 
  • Then the password is set. 

An authentication is requested in every step, so there is enough of a delay between steps to get access on the unprotected account. 

Furthermore, the switch-user option allows to access to the unprotected account using any random password. 

Impact

A local attacker can detect a user creation and install a backdoor to access that user account at any moment in the future. 

Details

Garuda Linux performs an insecure user creation and authentication, that allows any user to impersonate the created account with Garuda’s user management panel: 

“garuda settings manager” > “user accounts” 

In Linux often the users are created in two steps: 

  • Create the user without password but the account locked 
  • Set the password 

But in the case of Garuda there is no account lock, this is the code for step1: 

args[“arguments”] = QStringList() << “-m” << “-p” << “” << “-U” << “-G” << defaultUserGroups << username; 
installActionAdd.setArguments(args); 
KAuth::ExecuteJob* jobAdd = installActionAdd.execute(); 

This step generates an authentication pop-up, and so does the step2 when the password is set: 

args[“arguments”] = QStringList() << username; 
args[“writeArgs”] = QStringList() << password << password; 
installActionUsersChangePassword.setArguments( args ); 
KAuth::ExecuteJob* jobChangePassword = installActionUsersChangePassword.execute() 

Each KAuth is doing an elevation and showing the authentication-popup, so it appears twice in the practice. 

Between step1 and step2 the user is created without password and without account lock: 

  • shadow:   myuser::18841:0:99999:7:: 
  • passwd:   myuser:x:1003:1004::/home/myuser:/bin/bash 

Despite this momentary insecure state of the created user, the configuration in Garuda doesn’t allow using command “su” to an account that doesn’t have a password. 

But the Garuda switch-user authenticates well on this user with any random password. 

Recommendation

The current download version is fixed, and also an upgrade is available. Users are recommended to upgrade to the most recent version.

In case of doubt, don’t use the Garuda’s users creation panel; the users can be created using the console. 

Vendor Communication

August 9 2021:  The vulnerability was discovered during vacation. 

September 10 2021:  A ticket is created on vendor’s gitlab. 

September 10 2021: The vulnerability is fixed in commit 29b03856

Acknowledgements

Thanks to the Garuda developers for quickly fixing the vulnerability. 

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity. 

Published date:  September 29 2021

Written by:  Jesus Olmos 

Published by Jennifer Fernick

Jennifer Fernick is the Global Head of Research at NCC Group. She can be found on Twitter at @enjenneer.

Published