Bug 1101393 (CVE-2014-0246) - CVE-2014-0246 sos: md5 hash of GRUB password collected when running sosreport
Summary: CVE-2014-0246 sos: md5 hash of GRUB password collected when running sosreport
Alias: CVE-2014-0246
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1101474
Blocks: 1101415
TreeView+ depends on / blocked
Reported: 2014-05-27 06:09 UTC by Murray McAllister
Modified: 2023-05-12 16:00 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-06-09 19:55:50 UTC

Attachments (Terms of Use)

Description Murray McAllister 2014-05-27 06:09:04 UTC
When using a GRUB bootloader password, the md5 hash of said password was collected and stored in the resulting archive of debugging information when running sosreport. An attacker able to access the archive could use this flaw to obtain the GRUB bootloader password.

Comment 2 Murray McAllister 2014-05-27 07:03:06 UTC

Red Hat would like to thank Dolev Farhi of F5 Networks for reporting this issue.

Comment 3 Murray McAllister 2014-05-27 07:32:13 UTC
This issue is a similar scenario to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2664

Comment 4 Murray McAllister 2014-05-27 09:16:03 UTC
Created sos tracking bugs for this issue:

Affects: fedora-all [bug 1101474]

Comment 5 Vincent Danen 2014-06-09 19:55:50 UTC
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1102633#c4 for an explanation of why this is not a security issue.  The sos program cannot account for every single password that might be tucked away in any given file that it attempts to collect.  It makes a best-effort to scrub data, but that is in no way a guarantee and users are encouraged to look over the data that sos collects prior to sending it anywhere, and there is an explicit message to this effect when you run sos (before it collects anything).  This is more of a hardening exercise than anything else.  As well, an "attacker" can only benefit from the information if an authorized user makes it available to them.


This bug is not a security issue. For a detailed explanation, refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1101393#c5

Comment 6 Fedora Update System 2014-06-27 02:25:44 UTC
sos-3.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.