Bug 964299 - (CVE-2013-2069) CVE-2013-2069 livecd-tools: improper handling of passwords
CVE-2013-2069 livecd-tools: improper handling of passwords
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130523,repo...
: Security
: 961166 (view as bug list)
Depends On: 961170 961171 961174 961175 961644 962493 963100 963101 964186 966594 966596
Blocks: 961166 961176
  Show dependency treegraph
 
Reported: 2013-05-17 15:04 EDT by Kurt Seifried
Modified: 2016-09-19 22:49 EDT (History)
20 users (show)

See Also:
Fixed In Version: livecd-tools 19.3, livecd-tools 18.16, livecd-tools 17.17, livecd-tools 13.4.4
Doc Type: Bug Fix
Doc Text:
It was discovered that when used to create images, livecd-tools gave the root user an empty password rather than leaving the password locked in situations where no 'rootpw' directive was used or when the 'rootpw --lock' directive was used within the Kickstart file, which could allow local users to gain access to the root account.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-05-17 15:04:02 EDT
The livecd-tools package provides support for reading and executing
Kickstart files in order to create a system image. It was discovered
that livecd-tools gave the root user an empty password rather than
leaving the password locked in situations where no 'rootpw' directive
was used or when the 'rootpw --lock' directive was used within the
Kickstart file, which could allow local users to gain access to the
root account. (CVE-2013-2069)

Please note that livecd-tools is also used by appliance-tools to create
images used for virtual machines, USB based systems, and so on.
Additionally, the Python script components of livecd-tools have been
broken out into a separate package named python-imgcreate on some
distributions (such as Fedora).

Acknowledgements:

Red Hat would like to thank Amazon Web Services for reporting this issue. 
Amazon Web Services acknowledges Sylvain Beucler as the original reporter.
Comment 2 Mark J. Cox (Product Security) 2013-05-23 05:07:12 EDT
IssueDescription:

It was discovered that when used to create images, livecd-tools gave the root user an empty password rather than leaving the password locked in situations where no 'rootpw' directive was used or when the 'rootpw --lock' directive was used within the Kickstart file, which could allow local users to gain access to the root account.

ExternalReferences:

https://access.redhat.com/site/solutions/379353
Comment 3 errata-xmlrpc 2013-05-23 09:36:41 EDT
This issue has been addressed in following products:

  Red Hat Common

Via RHSA-2013:0849 https://rhn.redhat.com/errata/RHSA-2013-0849.html
Comment 4 Tomas Hoger 2013-05-23 10:20:51 EDT
Created livecd-tools tracking bugs for this issue

Affects: fedora-all [bug 966594]
Affects: epel-all [bug 966596]
Comment 6 Arkady L. Shane 2013-05-24 11:05:39 EDT
On LIVE Image builded with livecd-tools 19.3 is unable to login as root and/or run LIVEINST now.
Comment 7 Brian Lane 2013-05-24 12:14:23 EDT
(In reply to Arkady L. Shane from comment #6)
> On LIVE Image builded with livecd-tools 19.3 is unable to login as root
> and/or run LIVEINST now.

Correct. The live kickstarts need to be modified to remove the root password. I've sent a patch for that to the spin-kickstarts list. Also, this bug is not the right place for bugs in spins. Please file a new bug against spin-kickstarts.
Comment 8 Manfred Blankenfeld 2013-05-25 11:00:43 EDT
(In reply to Brian C. Lane from comment #7)
> (In reply to Arkady L. Shane from comment #6)
> > On LIVE Image builded with livecd-tools 19.3 is unable to login as root
> > and/or run LIVEINST now.
> 
> Correct. The live kickstarts need to be modified to remove the root
> password. I've sent a patch for that to the spin-kickstarts list. Also, this
> bug is not the right place for bugs in spins. Please file a new bug against
> spin-kickstarts.

trick: open a console and write
sudo passwd root

After given passwd you can start
liveinst.

Manfred
Comment 9 Adam Williamson 2013-05-27 18:36:08 EDT
I have applied (well, it didn't apply cleanly any more so I just re-did it) bcl's submitted patch for fedora-live-base.ks that does 'passwd -d root' so the root account is once more accessible without a password on the Fedora live images, as is intended to be the case. If someone considers this to be problem, please speak up :)

This change should only affect images that are built with the fedora-live-base.ks kickstart included, so if the 'appliance' images where this behaviour is not desired are not based off that kickstart, things should be fine. If they *are* based off that kickstart, we may need to split things out some more.
Comment 11 Tomas Hoger 2013-05-28 05:34:06 EDT
Cloud images should be using kickstarts from cloud-kickstarts git repo, see comment #5.
Comment 12 Matthew Miller 2013-05-28 22:20:09 EDT
Current cloud image kickstarts both specify rootpw --lock and call passwd -l root in %post for good measure. In the primary "-cloud" kickstart file, the assumption is that you will provide an SSH key via your cloud provider's metadata service, and this is injected into the system on boot.
Comment 14 Fedora Update System 2013-06-11 05:18:14 EDT
livecd-tools-17.17-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2013-06-11 23:33:06 EDT
livecd-tools-19.4-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Kurt Seifried 2015-02-04 19:18:20 EST
*** Bug 961166 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.