Bug 2258396 (CVE-2024-23301)
Summary: | CVE-2024-23301 rear: creates a world-readable initrd | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Rohit Keshri <rkeshri> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | pcahyna |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A vulnerability has been identified in Relax-and-Recover (ReaR), where the use of GRUB_RESCUE=y results in the creation of an initrd that is readable by anyone. This flaw could potentially enable local attackers to obtain access to system secrets that are typically restricted to root privileges.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2258397 | ||
Bug Blocks: | 2258395 |
Description
Rohit Keshri
2024-01-15 05:05:40 UTC
Created rear tracking bugs for this issue: Affects: fedora-all [bug 2258397] Hello, should it be Severity: high? Note that GRUB_RESCUE=y is not the default, and even if one sets it, I believe that the default initrd created by ReaR does not contain secrets, as ReaR has SSH_FILES='avoid_sensitive_files' and SSH_UNPROTECTED_PRIVATE_KEYS='no' set by default. Regards, Pavel N.B. to examine what files are in the initrd, you can run "rear -d mkrescue" and examine the rootfs directory under the ReaR's temporary directory ( /tmp/rear.* or /var/tmp/rear.* depending on version). https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16 A moderate security concern has been identified in Relax-and-Recover (ReaR), particularly when the non-default configuration GRUB_RESCUE=y is used within Red Hat Enterprise Linux (RHEL). This setting results in the creation of a world-readable initrd, potentially providing local attackers an avenue to access system secrets usually restricted to root privileges. It's worth noting that the default initrd created by ReaR does not contain secrets. This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:1147 https://access.redhat.com/errata/RHSA-2024:1147 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1719 https://access.redhat.com/errata/RHSA-2024:1719 |