Bug 964299 (CVE-2013-2069)
| Summary: | CVE-2013-2069 livecd-tools: improper handling of passwords | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | atigro, bcl, chrisw, dgregor, flanagan, jgreguske, jlieskov, lgao, madisonj, massi.ergosum, mattdm, mjc, pfrields, security-response-team, weli, whayutin |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | livecd-tools 19.3, livecd-tools 18.16, livecd-tools 17.17, livecd-tools 13.4.4 | Doc Type: | Bug Fix |
| Doc Text: |
It was discovered that when used to create images, livecd-tools gave the root user an empty password rather than leaving the password locked in situations where no 'rootpw' directive was used or when the 'rootpw --lock' directive was used within the Kickstart file, which could allow local users to gain access to the root account.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-20 10:39:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 961170, 961171, 961174, 961175, 961644, 962493, 963100, 963101, 964186, 966594, 966596 | ||
| Bug Blocks: | 961166, 961176 | ||
|
Description
Kurt Seifried
2013-05-17 19:04:02 UTC
IssueDescription: It was discovered that when used to create images, livecd-tools gave the root user an empty password rather than leaving the password locked in situations where no 'rootpw' directive was used or when the 'rootpw --lock' directive was used within the Kickstart file, which could allow local users to gain access to the root account. ExternalReferences: https://access.redhat.com/site/solutions/379353 This issue has been addressed in following products: Red Hat Common Via RHSA-2013:0849 https://rhn.redhat.com/errata/RHSA-2013-0849.html Created livecd-tools tracking bugs for this issue Affects: fedora-all [bug 966594] Affects: epel-all [bug 966596] Related Red Hat Portal Knowledgebase article: https://access.redhat.com/site/solutions/379353 Amazon Security Bulletin: https://aws.amazon.com/security/security-bulletins/red-hat-and-other-third-party-public-amis-security-concern/ livecd-tools were fixed versions 19.3, 18.16, 17.17, and 13.4.4, using the following fix: https://git.fedorahosted.org/cgit/livecd/commit/?id=d40ec8e9d8e8222196f5f7f60b38983489794a67 http://seclists.org/oss-sec/2013/q2/398 Fix for Fedora EC2 images kickstarts, and Fedora announcement: https://git.fedorahosted.org/cgit/cloud-kickstarts.git/commit/generic?id=a81eef60ed108f37747168dbfe05dd6c6484ef63 http://lists.fedoraproject.org/pipermail/announce/2013-May/003157.html On LIVE Image builded with livecd-tools 19.3 is unable to login as root and/or run LIVEINST now. (In reply to Arkady L. Shane from comment #6) > On LIVE Image builded with livecd-tools 19.3 is unable to login as root > and/or run LIVEINST now. Correct. The live kickstarts need to be modified to remove the root password. I've sent a patch for that to the spin-kickstarts list. Also, this bug is not the right place for bugs in spins. Please file a new bug against spin-kickstarts. (In reply to Brian C. Lane from comment #7) > (In reply to Arkady L. Shane from comment #6) > > On LIVE Image builded with livecd-tools 19.3 is unable to login as root > > and/or run LIVEINST now. > > Correct. The live kickstarts need to be modified to remove the root > password. I've sent a patch for that to the spin-kickstarts list. Also, this > bug is not the right place for bugs in spins. Please file a new bug against > spin-kickstarts. trick: open a console and write sudo passwd root After given passwd you can start liveinst. Manfred I have applied (well, it didn't apply cleanly any more so I just re-did it) bcl's submitted patch for fedora-live-base.ks that does 'passwd -d root' so the root account is once more accessible without a password on the Fedora live images, as is intended to be the case. If someone considers this to be problem, please speak up :) This change should only affect images that are built with the fedora-live-base.ks kickstart included, so if the 'appliance' images where this behaviour is not desired are not based off that kickstart, things should be fine. If they *are* based off that kickstart, we may need to split things out some more. Cloud images should be using kickstarts from cloud-kickstarts git repo, see comment #5. Current cloud image kickstarts both specify rootpw --lock and call passwd -l root in %post for good measure. In the primary "-cloud" kickstart file, the assumption is that you will provide an SSH key via your cloud provider's metadata service, and this is injected into the system on boot. livecd-tools-17.17-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. livecd-tools-19.4-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 961166 has been marked as a duplicate of this bug. *** |