Bug 1101311

Summary: sosreport password disclosure - grub.conf md5 hashed password
Product: Red Hat Enterprise Linux 6 Reporter: Dolev Farhi <dolev>
Component: sosAssignee: Bryn M. Reeves <bmr>
Status: CLOSED ERRATA QA Contact: David Kutálek <dkutalek>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4CC: agk, bmr, dkutalek, gavin
Target Milestone: rcKeywords: EasyFix, Patch, Upstream
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: sos-2.2-57.el6 Doc Type: Bug Fix
Doc Text:
Cause: Previous versions of sos did not elide passwords or password hashes in the grub.conf bootloader configuration file. Consequence: Passwords or password hashes contained in these files could be disclosed to the recipient of an sos report archive. Fix: The sos command now redacts passwords and password hashes contained in this file. Result: No password material is contained in the generated report archive.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 07:23:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dolev Farhi 2014-05-26 18:59:23 UTC 
Description of problem:

Password disclosure in grub.conf by using sosreport.

a similar previous vulnerability was found in sosreport before, the CVE
of that issue is CVE-2012-2664.
some information can be found here:
http://packetstormsecurity.com/files/cve/CVE-2012-2664 

"The sosreport utility in the Red Hat sos package before 2.2-29 does
not remove the root user password information from the Kickstart
configuration file (/root/anaconda-ks.cfg) when creating an archive of
debugging information, which might allow attackers to obtain passwords
or password hashes."

Well, basically the same issue just this time it's grub.conf file, the
md5 password hash is backed up just like the Kickstart file in
CVE-2012-2664 , containing the grub hashed password, if the system has
grub password protection, the password hash will be backed up by
sosreport and be a subject to an attack.

in CVE-2012-2664 the hash was simply removed  with some
random *WE REMOVED THIS* comment instead of the hash. so I don't see
much of a difference here.

Version-Release number of selected component (if applicable):
any, but I used RHEL6.4

How reproducible:
protect grub with a password, preferably with the md5-grub-crypt tool,
run sosreport, the file will eventually be in the tarball, in
the worst case scenario it will simply be copied to /tmp, accessible by
anyone.



Expected results:
remove the password hash of grub from the sosreport compressed tarball
Comment 2 Bryn M. Reeves 2014-06-02 15:07:41 UTC 
The RHEL6 relevant part of this (grub1) is now fixed upstream:

commit 6501013bb780161e941f5e078a6ed7052f670a51
Author: Bryn M. Reeves <bmr>
Date:   Mon Jun 2 15:27:10 2014 +0100

    Make sure grub password regex handles all cases


commit 23182c4f13fbadc9b7c2ab75c1ca249d5ba987d1
Author: Bryn M. Reeves <bmr>
Date:   Mon Jun 2 14:55:03 2014 +0100

    Elide bootloader password in grub plugin


Backporting this to sos-2.2 will also need the following commits to be cherry-picked:

commit 5447facd2edd3b3e5f1d3ad736b411f8e6406077
Author: Bryn M. Reeves <bmr>
Date:   Mon Jun 2 14:51:16 2014 +0100

    Make do_path_regex_sub() honour string regex arguments
    
    The Plugin.do_path_regex_sub() method to apply regex substitutions
    to paths matching a pattern documents that it accepts either a
    compiled re object or a regular expression as a string:
    
        '''Apply a regexp substituation to a set of files archived by
        sos. The set of files to be substituted is generated by matching
        collected file pathnames against pathexp which may be a regular
        expression string or compiled re object. The portion of the file
        to be replaced is specified via regexp and the replacement string
        is passed in subst.'''
    
    It lies. Attempting to pass a string for the 'pathexp' parameter
    will result in:
    
        Traceback (most recent call last):
          File "/usr/sbin/sosreport", line 23, in <module>
            main(sys.argv[1:])
          File "/usr/lib/python2.6/site-packages/sos/sosreport.py", line 1229, in main
            sos.execute()
        AttributeError: 'str' object has no attribute 'match'
    
        > /usr/lib/python2.6/site-packages/sos/plugins/__init__.py(219)do_path_regex_sub()
        -> match = pathexp.match
    
    Look to see if the object we are passed has a 'match()' method and
    call re.compile on it if it does not.
    
    Signed-off-by: Bryn M. Reeves <bmr>



commit 6e8c0429cf4cbba8f3dc8001f36d7fb0e245c14e
Author: Bryn M. Reeves <bmr>
Date:   Thu Apr 3 21:22:50 2014 +0100

    Add Plugin.do_path_regex_sub()
    
    Add a method to the Plugin class to apply a regex substitution
    to a set of paths maching a path regex. For e.g.:
    
        self.do_path_regex_sub(r'/etc/foo.*', 'pw=(.*)', 'pw=****')
    
    The oVirt plugin will use this.
    
    Signed-off-by: Bryn M. Reeves <bmr>
Comment 3 Bryn M. Reeves 2014-06-23 13:12:35 UTC 
commit de5e07bbf1afa2ff33296379becfdbad35525dc8
Author: Bryn M. Reeves <bmr>
Date:   Mon Jun 23 15:47:17 2014 +0100

    [bootloader] elide bootloader password
Comment 6 errata-xmlrpc 2014-10-14 07:23:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1528.html