Bug 1873093 (CVE-2020-14391)
Summary: | CVE-2020-14391 gnome-settings-daemon: Red Hat Customer Portal password logged and passed as command line argument when user registers through GNOME control center | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | cgarnach, fmuellner, gnome-sig, mclasen, mkasik, ofourdan, rschiron, rstrode, security-response-team, tiagomatos, yaneti |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in the GNOME Control Center, where it improperly uses Red Hat Customer Portal credentials when a user registers a system through the GNOME Settings User Interface. This flaw allows a local attacker to discover the Red Hat Customer Portal password. The highest threat from this vulnerability is to confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-04 02:26:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1872457, 1874918 | ||
Bug Blocks: | 1873098 |
Description
Marian Rehak
2020-08-27 11:04:20 UTC
When registering a Red Hat system to Red Hat Subscription Manager with the UI provided through GNOME Control Center, the Red Hat Customer Portal password provided by the user is passed as argument to gnome-settings-daemon helper. The command is logged on the system, password included, which is not a good practice. However, those logs could only be read by other admin users, but at the same time it could still be possible for a local unprivileged user to see the command being executed and find out the password to the Red Hat Customer Portal. As the subscription of a Red Hat system is usually an operation performed at installation time, before any untrusted user has the chance to have access to the system, the likelihood of this flaw being abused is considered low. Mitigation: Use `subscription-manager` directly from the terminal and do not use the `--password` flag. Statement: This issue did not affect the versions of gnome-settings-daemon as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include the subscription-manager plugin. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4451 https://access.redhat.com/errata/RHSA-2020:4451 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14391 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0266 https://access.redhat.com/errata/RHSA-2021:0266 |