Bug 1819219 (CVE-2020-10699) - CVE-2020-10699 targetcli: world writable /var/run/targetclid.sock allows unprivileged user to execute commands
Summary: CVE-2020-10699 targetcli: world writable /var/run/targetclid.sock allows unpr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10699
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1819792 1819791
Blocks: 1818918
TreeView+ depends on / blocked
 
Reported: 2020-03-31 13:44 UTC by Cedric Buissart
Modified: 2020-04-30 09:32 UTC (History)
5 users (show)

Fixed In Version: targetcli-fb 2.1.52
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Linux, where the socket used by targetclid was world-writable. If a system enables the targetclid socket, a local attacker can use this flaw to modify the iSCSI configuration and escalate their privileges to root.
Clone Of:
Environment:
Last Closed: 2020-04-28 10:31:47 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1933 None None None 2020-04-28 20:54:57 UTC

Description Cedric Buissart 2020-03-31 13:44:30 UTC
The targetclid daemon runs as root and provides a /var/run/targetclid.sock socket to which clients can write commands to and which it will execute on their behalf, so since the socket is world writeable any unprivileged user can write to it and targetclid will execute the commands even though the user is not privileged. Hence crosses a privilege boundary and so is a vulnerability.

Targetclid is provided on targetcli-fb versions 2.1.50 and newer. It is however disabled by default and is not required to be enabled for targetcli to work.

Comment 8 Cedric Buissart 2020-04-01 15:35:45 UTC
Mitigation:

- Do not enable targetclid, this would prevent the socket to be created
- Manually change the socket's permission every time it is being created :
$ sudo chmod 0600 /var/run/targetclid.sock

Comment 9 Cedric Buissart 2020-04-02 06:43:08 UTC
External References:

https://github.com/open-iscsi/targetcli-fb/issues/162

Comment 14 Product Security DevOps Team 2020-04-02 16:32:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10699

Comment 15 Product Security DevOps Team 2020-04-28 10:31:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10699

Comment 16 Cedric Buissart 2020-04-28 16:18:50 UTC
Statement:

Red Hat Enterprise Linux versions 7, 8.0 and 8.1 are not vulnerable to this flaw, because they do not ship a version of targetcli that contains the targetclid.socket socket.
Red Hat Enterprise Linux version 8.2 is affected by this flaw.
This issue did not affect the version of targetcli shipped with Red Hat Ceph Storage 2 and 3, as the package did not include the support for systemd which provides targetclid.socket socket.

Comment 17 errata-xmlrpc 2020-04-28 20:54:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1933 https://access.redhat.com/errata/RHSA-2020:1933


Note You need to log in before you can comment on or make changes to this bug.