Bug 1873093 (CVE-2020-14391) - CVE-2020-14391 gnome-settings-daemon: Red Hat Customer Portal password logged and passed as command line argument when user registers through GNOME control center
Summary: CVE-2020-14391 gnome-settings-daemon: Red Hat Customer Portal password logged...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14391
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1872457 1874918
Blocks: 1873098
TreeView+ depends on / blocked
 
Reported: 2020-08-27 11:04 UTC by Marian Rehak
Modified: 2021-02-16 19:24 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the GNOME Control Center, where it improperly uses Red Hat Customer Portal credentials when a user registers a system through the GNOME Settings User Interface. This flaw allows a local attacker to discover the Red Hat Customer Portal password. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:26:32 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4451 0 None None None 2020-11-04 01:05:14 UTC
Red Hat Product Errata RHSA-2021:0266 0 None None None 2021-01-26 11:12:37 UTC

Description Marian Rehak 2020-08-27 11:04:20 UTC
When registering a system through GNOME Control Center, Red Hat Customer Portal password gets sent to the system log and it is passed as an argument to gnome-settings-daemon helper, making it readable by an unprivileged local user.

Comment 2 Riccardo Schirone 2020-09-07 15:52:25 UTC
When registering a Red Hat system to Red Hat Subscription Manager with the UI provided through GNOME Control Center, the Red Hat Customer Portal password provided by the user is passed as argument to gnome-settings-daemon helper. The command is logged on the system, password included, which is not a good practice. However, those logs could only be read by other admin users, but at the same time it could still be possible for a local unprivileged user to see the command being executed and find out the password to the Red Hat Customer Portal.

Comment 3 Riccardo Schirone 2020-09-07 15:58:05 UTC
As the subscription of a Red Hat system is usually an operation performed at installation time, before any untrusted user has the chance to have access to the system, the likelihood of this flaw being abused is considered low.

Comment 7 Riccardo Schirone 2020-09-08 08:35:28 UTC
Mitigation:

Use `subscription-manager` directly from the terminal and do not use the `--password` flag.

Comment 9 Riccardo Schirone 2020-09-08 08:52:21 UTC
Statement:

This issue did not affect the versions of gnome-settings-daemon as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include the subscription-manager plugin.

Comment 13 errata-xmlrpc 2020-11-04 01:05:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4451 https://access.redhat.com/errata/RHSA-2020:4451

Comment 14 Product Security DevOps Team 2020-11-04 02:26:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14391

Comment 16 errata-xmlrpc 2021-01-26 11:12:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0266 https://access.redhat.com/errata/RHSA-2021:0266


Note You need to log in before you can comment on or make changes to this bug.