RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1101311 - sosreport password disclosure - grub.conf md5 hashed password
Summary: sosreport password disclosure - grub.conf md5 hashed password
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sos
Version: 6.4
Hardware: All
OS: All
unspecified
medium
Target Milestone: rc
: ---
Assignee: Bryn M. Reeves
QA Contact: David Kutálek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-26 18:59 UTC by Dolev Farhi
Modified: 2014-10-14 07:23 UTC (History)
4 users (show)

Fixed In Version: sos-2.2-57.el6
Doc Type: Bug Fix
Doc Text:
Cause: Previous versions of sos did not elide passwords or password hashes in the grub.conf bootloader configuration file. Consequence: Passwords or password hashes contained in these files could be disclosed to the recipient of an sos report archive. Fix: The sos command now redacts passwords and password hashes contained in this file. Result: No password material is contained in the generated report archive.
Clone Of:
Environment:
Last Closed: 2014-10-14 07:23:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1528 0 normal SHIPPED_LIVE sos bug fix and enhancement update 2014-10-14 01:22:00 UTC

Description Dolev Farhi 2014-05-26 18:59:23 UTC 
Description of problem:

Password disclosure in grub.conf by using sosreport.

a similar previous vulnerability was found in sosreport before, the CVE
of that issue is CVE-2012-2664.
some information can be found here:
http://packetstormsecurity.com/files/cve/CVE-2012-2664 

"The sosreport utility in the Red Hat sos package before 2.2-29 does
not remove the root user password information from the Kickstart
configuration file (/root/anaconda-ks.cfg) when creating an archive of
debugging information, which might allow attackers to obtain passwords
or password hashes."

Well, basically the same issue just this time it's grub.conf file, the
md5 password hash is backed up just like the Kickstart file in
CVE-2012-2664 , containing the grub hashed password, if the system has
grub password protection, the password hash will be backed up by
sosreport and be a subject to an attack.

in CVE-2012-2664 the hash was simply removed  with some
random *WE REMOVED THIS* comment instead of the hash. so I don't see
much of a difference here.

Version-Release number of selected component (if applicable):
any, but I used RHEL6.4

How reproducible:
protect grub with a password, preferably with the md5-grub-crypt tool,
run sosreport, the file will eventually be in the tarball, in
the worst case scenario it will simply be copied to /tmp, accessible by
anyone.



Expected results:
remove the password hash of grub from the sosreport compressed tarball
Comment 2 Bryn M. Reeves 2014-06-02 15:07:41 UTC 
The RHEL6 relevant part of this (grub1) is now fixed upstream:

commit 6501013bb780161e941f5e078a6ed7052f670a51
Author: Bryn M. Reeves <bmr>
Date:   Mon Jun 2 15:27:10 2014 +0100

    Make sure grub password regex handles all cases


commit 23182c4f13fbadc9b7c2ab75c1ca249d5ba987d1
Author: Bryn M. Reeves <bmr>
Date:   Mon Jun 2 14:55:03 2014 +0100

    Elide bootloader password in grub plugin


Backporting this to sos-2.2 will also need the following commits to be cherry-picked:

commit 5447facd2edd3b3e5f1d3ad736b411f8e6406077
Author: Bryn M. Reeves <bmr>
Date:   Mon Jun 2 14:51:16 2014 +0100

    Make do_path_regex_sub() honour string regex arguments
    
    The Plugin.do_path_regex_sub() method to apply regex substitutions
    to paths matching a pattern documents that it accepts either a
    compiled re object or a regular expression as a string:
    
        '''Apply a regexp substituation to a set of files archived by
        sos. The set of files to be substituted is generated by matching
        collected file pathnames against pathexp which may be a regular
        expression string or compiled re object. The portion of the file
        to be replaced is specified via regexp and the replacement string
        is passed in subst.'''
    
    It lies. Attempting to pass a string for the 'pathexp' parameter
    will result in:
    
        Traceback (most recent call last):
          File "/usr/sbin/sosreport", line 23, in <module>
            main(sys.argv[1:])
          File "/usr/lib/python2.6/site-packages/sos/sosreport.py", line 1229, in main
            sos.execute()
        AttributeError: 'str' object has no attribute 'match'
    
        > /usr/lib/python2.6/site-packages/sos/plugins/__init__.py(219)do_path_regex_sub()
        -> match = pathexp.match
    
    Look to see if the object we are passed has a 'match()' method and
    call re.compile on it if it does not.
    
    Signed-off-by: Bryn M. Reeves <bmr>



commit 6e8c0429cf4cbba8f3dc8001f36d7fb0e245c14e
Author: Bryn M. Reeves <bmr>
Date:   Thu Apr 3 21:22:50 2014 +0100

    Add Plugin.do_path_regex_sub()
    
    Add a method to the Plugin class to apply a regex substitution
    to a set of paths maching a path regex. For e.g.:
    
        self.do_path_regex_sub(r'/etc/foo.*', 'pw=(.*)', 'pw=****')
    
    The oVirt plugin will use this.
    
    Signed-off-by: Bryn M. Reeves <bmr>
Comment 3 Bryn M. Reeves 2014-06-23 13:12:35 UTC 
commit de5e07bbf1afa2ff33296379becfdbad35525dc8
Author: Bryn M. Reeves <bmr>
Date:   Mon Jun 23 15:47:17 2014 +0100

    [bootloader] elide bootloader password
Comment 6 errata-xmlrpc 2014-10-14 07:23:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1528.html
Note You need to log in before you can comment on or make changes to this bug.