Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 30 May 2014 11:58:38 -0600
From: "Vincent Danen" <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: sos: /etc/fstab collected by
 sosreport, possibly containing passwords

On 05/29/2014, at 13:20 PM, Kurt Seifried wrote:

> On 05/29/2014 12:57 PM, Dolev Farhi wrote:
>> I tend to agree with most of this actually, but since sosreport is
>> there to collect information for troubleshooting issues only, then
>> there is no actual reason not to remove the pw field of a mount in
>> fstab, even though the file is world readable in the first place. I
>> do agree that this widens the scope from Red Hats side especially
>> while most of the time it would be close to impossible to prevent
>> password disclosures in configuration files, especially when it
>> depends on the random way a sysadmin alters config files. Best
>> practice is to use the credentials option and point fstab to read
>> the mount username and password from a file but there are multiple
>> ways to achieve the same goal. I am not sure regarding the
>> necessity of a CVE here, though I dont see much of a difference
>> between this to any other password disclosures (such as grub.conf)
>> discovered in sosreport in the past, except that fstab is world
>> readable. On both cases the problem is that this file is handled by
>> 3rd parties.
>>
>> Thanks
>>
>> -- Dolev Farhi
>
> So /etc/fstab is world readable, within that system. The file is then
> being exported to Red Hat, we don't really need or want the password,
> we also make an effort to sanitize the data sent, so if nothing else
> this falls into the "intended/advertised security feature that failed"
> and would qualify for a CVE as such as I understand things.

I very much disagree with this.  We don't advertise that we scrub all data and neuter your report of all potentially sensitive things.  In fact, we pretty much say the opposite when you run sosreport.  It was never intended or advertised that we removed anything (we just happen to remove stuff that we very obviously don't want, like keytabs and obvious places for password storage).

I did see MITRE's response and they did assign a CVE to RHEL5's implementation precisely because it does not have this warning (like RHEL6 and Fedora do).  I can't disagree with their rationale for the assignment for RHEL5's version of sosreport.


-- 
Vincent Danen / Red Hat Product Security
Download attachment "signature.asc" of type "application/pgp-signature" (711 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.