|Summary:||CVE-2020-14391 gnome-settings-daemon: Red Hat Customer Portal password logged and passed as command line argument when user registers through GNOME control center|
|Product:||[Other] Security Response||Reporter:||Marian Rehak <mrehak>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||cgarnach, fmuellner, gnome-sig, mclasen, mkasik, ofourdan, rschiron, rstrode, security-response-team, tiagomatos, yaneti|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
A flaw was found in the GNOME Control Center, where it improperly uses Red Hat Customer Portal credentials when a user registers a system through the GNOME Settings User Interface. This flaw allows a local attacker to discover the Red Hat Customer Portal password. The highest threat from this vulnerability is to confidentiality.
|Last Closed:||2020-11-04 02:26:32 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1872457, 1874918|
Description Marian Rehak 2020-08-27 11:04:20 UTC
When registering a system through GNOME Control Center, Red Hat Customer Portal password gets sent to the system log and it is passed as an argument to gnome-settings-daemon helper, making it readable by an unprivileged local user.
Comment 2 Riccardo Schirone 2020-09-07 15:52:25 UTC
When registering a Red Hat system to Red Hat Subscription Manager with the UI provided through GNOME Control Center, the Red Hat Customer Portal password provided by the user is passed as argument to gnome-settings-daemon helper. The command is logged on the system, password included, which is not a good practice. However, those logs could only be read by other admin users, but at the same time it could still be possible for a local unprivileged user to see the command being executed and find out the password to the Red Hat Customer Portal.
Comment 3 Riccardo Schirone 2020-09-07 15:58:05 UTC
As the subscription of a Red Hat system is usually an operation performed at installation time, before any untrusted user has the chance to have access to the system, the likelihood of this flaw being abused is considered low.
Comment 7 Riccardo Schirone 2020-09-08 08:35:28 UTC
Mitigation: Use `subscription-manager` directly from the terminal and do not use the `--password` flag.
Comment 9 Riccardo Schirone 2020-09-08 08:52:21 UTC
Statement: This issue did not affect the versions of gnome-settings-daemon as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include the subscription-manager plugin.
Comment 13 errata-xmlrpc 2020-11-04 01:05:11 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4451 https://access.redhat.com/errata/RHSA-2020:4451
Comment 14 Product Security DevOps Team 2020-11-04 02:26:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14391