879094 – (CVE-2012-5561) CVE-2012-5561 Katello: /etc/katello/secure/passphrase is world readable

Bug 879094 (CVE-2012-5561) - CVE-2012-5561 Katello: /etc/katello/secure/passphrase is world readable

Summary: CVE-2012-5561 Katello: /etc/katello/secure/passphrase is world readable

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-5561
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	878888 888941 908429
Blocks:	879097 883745 892883 906638
TreeView+	depends on / blocked

Reported:	2012-11-22 03:27 UTC by Kurt Seifried
Modified:	2023-05-12 17:16 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-04-23 13:17:23 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0544	0	normal	SHIPPED_LIVE	Important: Subscription Asset Manager 1.2 update	2013-02-26 04:08:04 UTC
Red Hat Product Errata	RHSA-2013:0547	0	normal	SHIPPED_LIVE	Moderate: CloudForms System Engine 1.1.2 update	2013-02-22 00:01:10 UTC

Description Kurt Seifried 2012-11-22 03:27:57 UTC

Aaron Weitekamp (aweiteka) reports:

Description of problem:
/etc/katello/secure/passphrase is world readable. File and directory should be secured.
[root@qeblade40 ~]# ls -la /etc/katello/secure
total 12
drwxr-xr-x. 2 root root 4096 Nov 13 09:11 .
drwxr-xr-x. 3 root root 4096 Nov 14 11:22 ..
-rw-r--r--. 1 root root   65 Nov 13 09:11 passphrase
[root@qeblade40 ~]# rpm -qf /etc/katello/secure
katello-selinux-1.1.1-2.el6cf.noarch
[root@qeblade40 ~]# rpm -qf /etc/katello/secure/passphrase
file /etc/katello/secure/passphrase is not owned by any package


Version-Release number of selected component (if applicable):
1.1
[root@qeblade40 ~]# rpm -qa |grep katello
katello-cli-1.1.8-12.el6cf.noarch
katello-1.1.12-22.el6cf.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-certs-tools-1.1.8-1.el6cf.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-glue-pulp-1.1.12-22.el6cf.noarch
katello-all-1.1.12-22.el6cf.noarch
katello-cli-common-1.1.8-12.el6cf.noarch
katello-glue-candlepin-1.1.12-22.el6cf.noarch
katello-selinux-1.1.1-2.el6cf.noarch
katello-qpid-client-key-pair-1.0-1.noarch
katello-common-1.1.12-22.el6cf.noarch
katello-configure-1.1.9-12.el6cf.noarch


Steps to Reproduce:
1. `ls -la /etc/katello/secure`
2. `rpm -qf /etc/katello/secure`
  
Actual results:
File and directory are world readable

Comment 1 Kurt Seifried 2012-11-22 03:29:03 UTC

/etc/katello/secure/passphrase is created by:

/usr/share/katello/script/katello-generate-passphrase

which is a bash script, specifically at the end:

-----
FILE=/etc/katello/secure/passphrase
[ $FORCE -eq 0 -a -f $FILE ] && \
  echo "Passphrase file was already generated, you can only generate once" && exit 1
PASS=$(</dev/urandom tr -dc A-Za-z0-9 | head -c 64)
echo "$PASS" > $FILE
-----

Comment 3 Kurt Seifried 2012-12-20 04:58:09 UTC

Acknowledgements:

This issue was discovered by Aaron Weitekamp of the Red Hat Cloud Quality Engineering team.

Comment 4 Jordan OMara 2013-01-03 22:02:30 UTC

Fixing this by creating a "katello_shared" group that users tomcat & katello are added to. This file is then made group readable. Example:

[root@cersei ~]# ll /etc/katello
total 52
...
drwxr-x---. 2 root    katello_shared 4096 Jan  3 16:48 secure
..
[root@cersei ~]# ll /etc/katello/secure
total 4
-rw-rw----. 1 root katello_shared 65 Jan  3 16:48 passphrase

pull request submitted upstream: https://github.com/Katello/katello/pull/1349

Comment 5 Kurt Seifried 2013-01-06 06:01:07 UTC

Just to confirm, katello_shared has been changed to katello-shared (hyphen instead of underscore) which is the more normal case.

Comment 6 Og Maciel 2013-01-31 19:50:59 UTC

[root@tigger ~]# ll /etc/katello | grep secure
drwxr-xr-x. 2 root    root    4096 Jan 31 12:29 secure
[root@tigger ~]# ll /etc/katello/secure
total 4
-rw-r--r--. 1 root root 65 Jan 31 12:29 passphrase
[root@tigger ~]# grep katello /etc/group
katello:x:182:tomcat,qpidd,apache

Comment 7 Og Maciel 2013-01-31 19:53:51 UTC

CFSE 1.1.2:

* candlepin-0.7.19-3.el6cf.noarch
* candlepin-selinux-0.7.19-3.el6cf.noarch
* candlepin-tomcat6-0.7.19-3.el6cf.noarch
* elasticsearch-0.18.4-11.el6.noarch
* katello-1.1.12.2-1.el6cf.noarch
* katello-all-1.1.12.2-1.el6cf.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.8-1.el6cf.noarch
* katello-cli-1.1.8-14.el6cf.noarch
* katello-cli-common-1.1.8-14.el6cf.noarch
* katello-common-1.1.12.2-1.el6cf.noarch
* katello-configure-1.1.9-13.el6cf.noarch
* katello-glue-candlepin-1.1.12.2-1.el6cf.noarch
* katello-glue-pulp-1.1.12.2-1.el6cf.noarch
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-qpid-client-key-pair-1.0-1.noarch
* katello-selinux-1.1.1-2.el6cf.noarch
* pulp-1.1.15-1.el6cf.noarch
* pulp-common-1.1.15-1.el6cf.noarch
* pulp-selinux-server-1.1.15-1.el6cf.noarch

Comment 8 Og Maciel 2013-01-31 20:01:06 UTC

2013-01-31 14:53:14 < jomara> omaciel: hmm, what version of the software? where?
2013-01-31 14:53:57 < omaciel> jomara: https://bugzilla.redhat.com/show_bug.cgi?id=879094#c7
2013-01-31 14:54:32 < jomara> * candlepin-0.7.19-3.el6cf.noarch
2013-01-31 14:54:40 < jomara> aint that old
2013-01-31 14:54:53 < omaciel> it's what we're shipping with 1.1.2
2013-01-31 14:55:03 < jomara> ok
2013-01-31 14:55:07 < jomara> well, that shouldnt matter really
2013-01-31 14:55:22 < jomara> katello-selinux-1.2.1-2h.el6_3            sam-1.2-rhel-6-candidate  jomara
2013-01-31 14:55:28 < jomara> * katello-selinux-1.1.1-2.el6cf.noarch
2013-01-31 14:55:30 < jomara> THERES THE BOTTLENECK
2013-01-31 14:56:08 < omaciel> jomara: do we have the wrong version of katello-selinux?
2013-01-31 14:56:12 < jomara> yes
2013-01-31 14:56:13 < jomara> you do

Comment 10 sthirugn@redhat.com 2013-02-06 16:21:57 UTC

Verified in version:
* candlepin-0.7.23-1.el6_3.noarch
* candlepin-cert-consumer-cloud-qe-8.idm.lab.bos.redhat.com-1.0-1.noarch
* candlepin-tomcat6-0.7.23-1.el6_3.noarch
* elasticsearch-0.19.9-5.el6_3.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.2.1-1h.el6_3.noarch
* katello-cli-1.2.1-12h.el6_3.noarch
* katello-cli-common-1.2.1-12h.el6_3.noarch
* katello-common-1.2.1-15h.el6_3.noarch
* katello-configure-1.2.3-3h.el6_3.noarch
* katello-glue-candlepin-1.2.1-15h.el6_3.noarch
* katello-headpin-1.2.1-15h.el6_3.noarch
* katello-headpin-all-1.2.1-15h.el6_3.noarch
* katello-selinux-1.2.1-2h.el6_3.noarch
* thumbslug-0.0.28-1.el6_3.noarch
* thumbslug-selinux-0.0.28-1.el6_3.noarch

Output:
# ll /etc/katello|grep secure
drwxr-x---. 2 root    katello-shared 4096 Feb  6 10:23 secure

# ll /etc/katello/secure
total 4
-rw-rw----. 1 root katello-shared 65 Jan 28 16:09 passphrase

# grep katello /etc/group
katello:x:182:tomcat,apache,thumbslug
katello-shared:x:496:katello,tomcat

Comment 16 errata-xmlrpc 2013-02-21 19:06:50 UTC

This issue has been addressed in following products:

  CloudForms for RHEL 6

Via RHSA-2013:0547 https://rhn.redhat.com/errata/RHSA-2013-0547.html

Comment 17 errata-xmlrpc 2013-02-21 19:20:13 UTC

This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.2

Via RHSA-2013:0544 https://rhn.redhat.com/errata/RHSA-2013-0544.html

Note You need to log in before you can comment on or make changes to this bug.