Security Issue

We've noticed that settings which allow logcheck to send its summary mails to normal users which is used daily, can cause a security issue which leaks restricted dmesg information.

1. Processes running under those users can virtually see dmesg, which could provide important information for attackers via those processes.
   • Debian Linux Kernel does not allow dmesg for normal users (CONFIG_SECURITY_DMESG_RESTRICT=y # kernel.dmesg_restrict=1).

user$ dmesg
dmesg: read kernel buffer failed: Operation not permitted

2. Both Debian and our logcheck ignore database did not suppress those dmesg outputs enough.
   • /var/mail/USER can contain dmesg output.
3. We've started to add suppression rules for those important dmesg information, such as address range, port numbers, etc.
   • We've just started and it is not enough now.
   • It only covers very partial amd64 machine outputs.

Mitigation

Please update our ignore database ASAP, if you are using.

1. Do not add daily normal users into logcheck recipient lists.
   • At least who does developments tasks.
2. Restrict web access.
   • Never execute anything from the Internet directly.
   • Use browser tracking protections as much as possible.
3. Create special (but normal) user [1] to receive those logcheck summary mails.

Download

The tar file is available at the software page.