Bug 1854723 (CVE-2020-14019)

Summary: CVE-2020-14019 python-rtslib: weak permissions for /etc/target/saveconfig.json
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, andy, hvyas, matt, mlombard, tomek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Open-iSCSI rtslib-fb through versions 2.1.72, where it has weak permissions for /etc/target/saveconfig.json because the shutil.copyfile, instead of shutil.copy is used, and permissions are not preserved upon editing. This flaw allows an attacker with prior access to /etc/target/saveconfig.json to access a later version, resulting in a loss of integrity, depending on their permission settings. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-15 22:18:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1854724, 1855171, 1857797, 1876812, 1876813    
Bug Blocks: 1854725    

Description Dhananjay Arunesh 2020-07-08 06:09:17 UTC 
Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/target/saveconfig.json because shutil.copyfile (instead of shutil.copy) is used, and thus permissions are not preserved.

References:
https://github.com/open-iscsi/rtslib-fb/pull/162
Comment 1 Dhananjay Arunesh 2020-07-08 06:09:58 UTC 
Created python-rtslib tracking bugs for this issue:

Affects: fedora-all [bug 1854724]
Comment 3 Stefan Cornelius 2020-07-10 16:22:06 UTC 
Patch (also fixes a related issue with file open modes):
https://github.com/open-iscsi/rtslib-fb/commit/1d19b0f2aa45b8f61f75d6a05524389ea547784c
Comment 8 Sage McTaggart 2020-07-16 17:23:22 UTC 
Statement:

Red Hat Ceph Storage 2 and 3 are not affected because within the affected method, shutil.copyfile is not used. However, the affected method, save_to_file is outdated and contains a race condition. Hence, this issue has been rated as having a security impact of low.
Comment 16 errata-xmlrpc 2020-12-15 11:10:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5435 https://access.redhat.com/errata/RHSA-2020:5435
Comment 17 Product Security DevOps Team 2020-12-15 22:18:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14019