Bug 2258396 (CVE-2024-23301)

Summary: CVE-2024-23301 rear: creates a world-readable initrd
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pcahyna
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability has been identified in Relax-and-Recover (ReaR), where the use of GRUB_RESCUE=y results in the creation of an initrd that is readable by anyone. This flaw could potentially enable local attackers to obtain access to system secrets that are typically restricted to root privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2258397    
Bug Blocks: 2258395    

Description Rohit Keshri 2024-01-15 05:05:40 UTC 
Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root.

https://github.com/rear/rear/issues/3122
https://github.com/rear/rear/pull/3123
Comment 1 Rohit Keshri 2024-01-15 05:07:11 UTC 
Created rear tracking bugs for this issue:

Affects: fedora-all [bug 2258397]
Comment 3 Pavel Cahyna 2024-01-15 10:46:27 UTC 
Hello,

should it be Severity: high? Note that GRUB_RESCUE=y is not the default, and even if one sets it, I believe that the default initrd created by ReaR does not contain secrets, as ReaR has SSH_FILES='avoid_sensitive_files' and SSH_UNPROTECTED_PRIVATE_KEYS='no' set by default.

Regards, Pavel
Comment 4 Pavel Cahyna 2024-01-15 10:48:47 UTC 
N.B. to examine what files are in the initrd, you can run "rear -d mkrescue" and examine the rootfs directory under the ReaR's temporary directory ( /tmp/rear.* or /var/tmp/rear.* depending on version).
Comment 5 Sandipan Roy 2024-01-19 12:27:38 UTC 
https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16


A moderate security concern has been identified in Relax-and-Recover (ReaR), particularly when the non-default configuration GRUB_RESCUE=y is used within Red Hat Enterprise Linux (RHEL). This setting results in the creation of a world-readable initrd, potentially providing local attackers an avenue to access system secrets usually restricted to root privileges. It's worth noting that the default initrd created by ReaR does not contain secrets.
Comment 6 errata-xmlrpc 2024-03-05 18:12:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1147 https://access.redhat.com/errata/RHSA-2024:1147
Comment 8 errata-xmlrpc 2024-04-09 14:19:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1719 https://access.redhat.com/errata/RHSA-2024:1719