The targetclid daemon runs as root and provides a /var/run/targetclid.sock socket to which clients can write commands to and which it will execute on their behalf, so since the socket is world writeable any unprivileged user can write to it and targetclid will execute the commands even though the user is not privileged. Hence crosses a privilege boundary and so is a vulnerability.
Targetclid is provided on targetcli-fb versions 2.1.50 and newer. It is however disabled by default and is not required to be enabled for targetcli to work.
Upstream fix :
- Do not enable targetclid, this would prevent the socket to be created
- Manually change the socket's permission every time it is being created :
$ sudo chmod 0600 /var/run/targetclid.sock
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
Red Hat Enterprise Linux versions 7, 8.0 and 8.1 are not vulnerable to this flaw, because they do not ship a version of targetcli that contains the targetclid.socket socket.
Red Hat Enterprise Linux version 8.2 is affected by this flaw.
This issue did not affect the version of targetcli shipped with Red Hat Ceph Storage 2 and 3, as the package did not include the support for systemd which provides targetclid.socket socket.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:1933 https://access.redhat.com/errata/RHSA-2020:1933