Bug 1873093 (CVE-2020-14391)

Summary: CVE-2020-14391 gnome-settings-daemon: Red Hat Customer Portal password logged and passed as command line argument when user registers through GNOME control center
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cgarnach, fmuellner, gnome-sig, mclasen, mkasik, ofourdan, rschiron, rstrode, security-response-team, tiagomatos, yaneti
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the GNOME Control Center, where it improperly uses Red Hat Customer Portal credentials when a user registers a system through the GNOME Settings User Interface. This flaw allows a local attacker to discover the Red Hat Customer Portal password. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:26:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1872457, 1874918    
Bug Blocks: 1873098    

Description Marian Rehak 2020-08-27 11:04:20 UTC 
When registering a system through GNOME Control Center, Red Hat Customer Portal password gets sent to the system log and it is passed as an argument to gnome-settings-daemon helper, making it readable by an unprivileged local user.
Comment 2 Riccardo Schirone 2020-09-07 15:52:25 UTC 
When registering a Red Hat system to Red Hat Subscription Manager with the UI provided through GNOME Control Center, the Red Hat Customer Portal password provided by the user is passed as argument to gnome-settings-daemon helper. The command is logged on the system, password included, which is not a good practice. However, those logs could only be read by other admin users, but at the same time it could still be possible for a local unprivileged user to see the command being executed and find out the password to the Red Hat Customer Portal.
Comment 3 Riccardo Schirone 2020-09-07 15:58:05 UTC 
As the subscription of a Red Hat system is usually an operation performed at installation time, before any untrusted user has the chance to have access to the system, the likelihood of this flaw being abused is considered low.
Comment 7 Riccardo Schirone 2020-09-08 08:35:28 UTC 
Mitigation:

Use `subscription-manager` directly from the terminal and do not use the `--password` flag.
Comment 9 Riccardo Schirone 2020-09-08 08:52:21 UTC 
Statement:

This issue did not affect the versions of gnome-settings-daemon as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include the subscription-manager plugin.
Comment 13 errata-xmlrpc 2020-11-04 01:05:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4451 https://access.redhat.com/errata/RHSA-2020:4451
Comment 14 Product Security DevOps Team 2020-11-04 02:26:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14391
Comment 16 errata-xmlrpc 2021-01-26 11:12:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0266 https://access.redhat.com/errata/RHSA-2021:0266