This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 879094 (CVE-2012-5561)

Summary: CVE-2012-5561 Katello: /etc/katello/secure/passphrase is world readable
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkearney, cpelland, daviddavis, gkhachik, jomara, katello-bugs, mmccune, omaciel, security-response-team, sthirugn
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130103,reported=20121121,source=redhat,cvss2=2.1/AV:L/AC:L/Au:N/C:P/I:N/A:N,sam-1/katello=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-23 09:17:23 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 878888, 888941, 908429    
Bug Blocks: 879097, 883745, 892883, 906638    

Description Kurt Seifried 2012-11-21 22:27:57 EST
Aaron Weitekamp (aweiteka@redhat.com) reports:

Description of problem:
/etc/katello/secure/passphrase is world readable. File and directory should be secured.
[root@qeblade40 ~]# ls -la /etc/katello/secure
total 12
drwxr-xr-x. 2 root root 4096 Nov 13 09:11 .
drwxr-xr-x. 3 root root 4096 Nov 14 11:22 ..
-rw-r--r--. 1 root root   65 Nov 13 09:11 passphrase
[root@qeblade40 ~]# rpm -qf /etc/katello/secure
katello-selinux-1.1.1-2.el6cf.noarch
[root@qeblade40 ~]# rpm -qf /etc/katello/secure/passphrase
file /etc/katello/secure/passphrase is not owned by any package


Version-Release number of selected component (if applicable):
1.1
[root@qeblade40 ~]# rpm -qa |grep katello
katello-cli-1.1.8-12.el6cf.noarch
katello-1.1.12-22.el6cf.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-certs-tools-1.1.8-1.el6cf.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-glue-pulp-1.1.12-22.el6cf.noarch
katello-all-1.1.12-22.el6cf.noarch
katello-cli-common-1.1.8-12.el6cf.noarch
katello-glue-candlepin-1.1.12-22.el6cf.noarch
katello-selinux-1.1.1-2.el6cf.noarch
katello-qpid-client-key-pair-1.0-1.noarch
katello-common-1.1.12-22.el6cf.noarch
katello-configure-1.1.9-12.el6cf.noarch


Steps to Reproduce:
1. `ls -la /etc/katello/secure`
2. `rpm -qf /etc/katello/secure`
  
Actual results:
File and directory are world readable
Comment 1 Kurt Seifried 2012-11-21 22:29:03 EST
/etc/katello/secure/passphrase is created by:

/usr/share/katello/script/katello-generate-passphrase

which is a bash script, specifically at the end:

-----
FILE=/etc/katello/secure/passphrase
[ $FORCE -eq 0 -a -f $FILE ] && \
  echo "Passphrase file was already generated, you can only generate once" && exit 1
PASS=$(</dev/urandom tr -dc A-Za-z0-9 | head -c 64)
echo "$PASS" > $FILE
-----
Comment 3 Kurt Seifried 2012-12-19 23:58:09 EST
Acknowledgements:

This issue was discovered by Aaron Weitekamp of the Red Hat Cloud Quality Engineering team.
Comment 4 Jordan OMara 2013-01-03 17:02:30 EST
Fixing this by creating a "katello_shared" group that users tomcat & katello are added to. This file is then made group readable. Example:

[root@cersei ~]# ll /etc/katello
total 52
...
drwxr-x---. 2 root    katello_shared 4096 Jan  3 16:48 secure
..
[root@cersei ~]# ll /etc/katello/secure
total 4
-rw-rw----. 1 root katello_shared 65 Jan  3 16:48 passphrase

pull request submitted upstream: https://github.com/Katello/katello/pull/1349
Comment 5 Kurt Seifried 2013-01-06 01:01:07 EST
Just to confirm, katello_shared has been changed to katello-shared (hyphen instead of underscore) which is the more normal case.
Comment 6 Og Maciel 2013-01-31 14:50:59 EST
[root@tigger ~]# ll /etc/katello | grep secure
drwxr-xr-x. 2 root    root    4096 Jan 31 12:29 secure
[root@tigger ~]# ll /etc/katello/secure
total 4
-rw-r--r--. 1 root root 65 Jan 31 12:29 passphrase
[root@tigger ~]# grep katello /etc/group
katello:x:182:tomcat,qpidd,apache
Comment 7 Og Maciel 2013-01-31 14:53:51 EST
CFSE 1.1.2:

* candlepin-0.7.19-3.el6cf.noarch
* candlepin-selinux-0.7.19-3.el6cf.noarch
* candlepin-tomcat6-0.7.19-3.el6cf.noarch
* elasticsearch-0.18.4-11.el6.noarch
* katello-1.1.12.2-1.el6cf.noarch
* katello-all-1.1.12.2-1.el6cf.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.8-1.el6cf.noarch
* katello-cli-1.1.8-14.el6cf.noarch
* katello-cli-common-1.1.8-14.el6cf.noarch
* katello-common-1.1.12.2-1.el6cf.noarch
* katello-configure-1.1.9-13.el6cf.noarch
* katello-glue-candlepin-1.1.12.2-1.el6cf.noarch
* katello-glue-pulp-1.1.12.2-1.el6cf.noarch
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-qpid-client-key-pair-1.0-1.noarch
* katello-selinux-1.1.1-2.el6cf.noarch
* pulp-1.1.15-1.el6cf.noarch
* pulp-common-1.1.15-1.el6cf.noarch
* pulp-selinux-server-1.1.15-1.el6cf.noarch
Comment 8 Og Maciel 2013-01-31 15:01:06 EST
2013-01-31 14:53:14 < jomara> omaciel: hmm, what version of the software? where?
2013-01-31 14:53:57 < omaciel> jomara: https://bugzilla.redhat.com/show_bug.cgi?id=879094#c7
2013-01-31 14:54:32 < jomara> * candlepin-0.7.19-3.el6cf.noarch
2013-01-31 14:54:40 < jomara> aint that old
2013-01-31 14:54:53 < omaciel> it's what we're shipping with 1.1.2
2013-01-31 14:55:03 < jomara> ok
2013-01-31 14:55:07 < jomara> well, that shouldnt matter really
2013-01-31 14:55:22 < jomara> katello-selinux-1.2.1-2h.el6_3            sam-1.2-rhel-6-candidate  jomara
2013-01-31 14:55:28 < jomara> * katello-selinux-1.1.1-2.el6cf.noarch
2013-01-31 14:55:30 < jomara> THERES THE BOTTLENECK
2013-01-31 14:56:08 < omaciel> jomara: do we have the wrong version of katello-selinux?
2013-01-31 14:56:12 < jomara> yes
2013-01-31 14:56:13 < jomara> you do
Comment 10 sthirugn@redhat.com 2013-02-06 11:21:57 EST
Verified in version:
* candlepin-0.7.23-1.el6_3.noarch
* candlepin-cert-consumer-cloud-qe-8.idm.lab.bos.redhat.com-1.0-1.noarch
* candlepin-tomcat6-0.7.23-1.el6_3.noarch
* elasticsearch-0.19.9-5.el6_3.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.2.1-1h.el6_3.noarch
* katello-cli-1.2.1-12h.el6_3.noarch
* katello-cli-common-1.2.1-12h.el6_3.noarch
* katello-common-1.2.1-15h.el6_3.noarch
* katello-configure-1.2.3-3h.el6_3.noarch
* katello-glue-candlepin-1.2.1-15h.el6_3.noarch
* katello-headpin-1.2.1-15h.el6_3.noarch
* katello-headpin-all-1.2.1-15h.el6_3.noarch
* katello-selinux-1.2.1-2h.el6_3.noarch
* thumbslug-0.0.28-1.el6_3.noarch
* thumbslug-selinux-0.0.28-1.el6_3.noarch

Output:
# ll /etc/katello|grep secure
drwxr-x---. 2 root    katello-shared 4096 Feb  6 10:23 secure

# ll /etc/katello/secure
total 4
-rw-rw----. 1 root katello-shared 65 Jan 28 16:09 passphrase

# grep katello /etc/group
katello:x:182:tomcat,apache,thumbslug
katello-shared:x:496:katello,tomcat
Comment 16 errata-xmlrpc 2013-02-21 14:06:50 EST
This issue has been addressed in following products:

  CloudForms for RHEL 6

Via RHSA-2013:0547 https://rhn.redhat.com/errata/RHSA-2013-0547.html
Comment 17 errata-xmlrpc 2013-02-21 14:20:13 EST
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.2

Via RHSA-2013:0544 https://rhn.redhat.com/errata/RHSA-2013-0544.html