Bug 1101393 (CVE-2014-0246)

Summary: CVE-2014-0246 sos: md5 hash of GRUB password collected when running sosreport
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agk, bmr, dolev, gavin, jkurik, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-09 19:55:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1101474    
Bug Blocks: 1101415    

Description Murray McAllister 2014-05-27 06:09:04 UTC 
When using a GRUB bootloader password, the md5 hash of said password was collected and stored in the resulting archive of debugging information when running sosreport. An attacker able to access the archive could use this flaw to obtain the GRUB bootloader password.
Comment 2 Murray McAllister 2014-05-27 07:03:06 UTC 
Acknowledgements:

Red Hat would like to thank Dolev Farhi of F5 Networks for reporting this issue.
Comment 3 Murray McAllister 2014-05-27 07:32:13 UTC 
This issue is a similar scenario to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2664
Comment 4 Murray McAllister 2014-05-27 09:16:03 UTC 
Created sos tracking bugs for this issue:

Affects: fedora-all [bug 1101474]
Comment 5 Vincent Danen 2014-06-09 19:55:50 UTC 
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1102633#c4 for an explanation of why this is not a security issue.  The sos program cannot account for every single password that might be tucked away in any given file that it attempts to collect.  It makes a best-effort to scrub data, but that is in no way a guarantee and users are encouraged to look over the data that sos collects prior to sending it anywhere, and there is an explicit message to this effect when you run sos (before it collects anything).  This is more of a hardening exercise than anything else.  As well, an "attacker" can only benefit from the information if an authorized user makes it available to them.


Statement:

This bug is not a security issue. For a detailed explanation, refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1101393#c5
Comment 6 Fedora Update System 2014-06-27 02:25:44 UTC 
sos-3.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.