Bug 1819219 (CVE-2020-10699)

Summary: CVE-2020-10699 targetcli: world writable /var/run/targetclid.sock allows unprivileged user to execute commands
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: andy, hvyas, mchristi, mlombard, security-response-team
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: targetcli-fb 2.1.52 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Linux, where the socket used by targetclid was world-writable. If a system enables the targetclid socket, a local attacker can use this flaw to modify the iSCSI configuration and escalate their privileges to root.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 10:31:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1819791, 1819792    
Bug Blocks: 1818918    

Description Cedric Buissart 2020-03-31 13:44:30 UTC 
The targetclid daemon runs as root and provides a /var/run/targetclid.sock socket to which clients can write commands to and which it will execute on their behalf, so since the socket is world writeable any unprivileged user can write to it and targetclid will execute the commands even though the user is not privileged. Hence crosses a privilege boundary and so is a vulnerability.

Targetclid is provided on targetcli-fb versions 2.1.50 and newer. It is however disabled by default and is not required to be enabled for targetcli to work.
Comment 5 Cedric Buissart 2020-04-01 15:21:30 UTC 
Upstream fix :
https://github.com/open-iscsi/targetcli-fb/commit/6e4f39357a90a914d11bac21cc2d2b52c07c213d
Comment 8 Cedric Buissart 2020-04-01 15:35:45 UTC 
Mitigation:

- Do not enable targetclid, this would prevent the socket to be created
- Manually change the socket's permission every time it is being created :
$ sudo chmod 0600 /var/run/targetclid.sock
Comment 9 Cedric Buissart 2020-04-02 06:43:08 UTC 
External References:

https://github.com/open-iscsi/targetcli-fb/issues/162
Comment 14 Product Security DevOps Team 2020-04-02 16:32:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10699
Comment 15 Product Security DevOps Team 2020-04-28 10:31:47 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10699
Comment 16 Cedric Buissart 2020-04-28 16:18:50 UTC 
Statement:

Red Hat Enterprise Linux versions 7, 8.0 and 8.1 are not vulnerable to this flaw, because they do not ship a version of targetcli that contains the targetclid.socket socket.
Red Hat Enterprise Linux version 8.2 is affected by this flaw.
This issue did not affect the version of targetcli shipped with Red Hat Ceph Storage 2 and 3, as the package did not include the support for systemd which provides targetclid.socket socket.
Comment 17 errata-xmlrpc 2020-04-28 20:54:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1933 https://access.redhat.com/errata/RHSA-2020:1933