oss-sec mailing list archives
Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords
From: "Vincent Danen" <vdanen () redhat com>
Date: Fri, 30 May 2014 11:58:38 -0600
On 05/29/2014, at 13:20 PM, Kurt Seifried wrote:
On 05/29/2014 12:57 PM, Dolev Farhi wrote:I tend to agree with most of this actually, but since sosreport is there to collect information for troubleshooting issues only, then there is no actual reason not to remove the pw field of a mount in fstab, even though the file is world readable in the first place. I do agree that this widens the scope from Red Hats side especially while most of the time it would be close to impossible to prevent password disclosures in configuration files, especially when it depends on the random way a sysadmin alters config files. Best practice is to use the credentials option and point fstab to read the mount username and password from a file but there are multiple ways to achieve the same goal. I am not sure regarding the necessity of a CVE here, though I dont see much of a difference between this to any other password disclosures (such as grub.conf) discovered in sosreport in the past, except that fstab is world readable. On both cases the problem is that this file is handled by 3rd parties. Thanks -- Dolev FarhiSo /etc/fstab is world readable, within that system. The file is then being exported to Red Hat, we don't really need or want the password, we also make an effort to sanitize the data sent, so if nothing else this falls into the "intended/advertised security feature that failed" and would qualify for a CVE as such as I understand things.
I very much disagree with this. We don't advertise that we scrub all data and neuter your report of all potentially sensitive things. In fact, we pretty much say the opposite when you run sosreport. It was never intended or advertised that we removed anything (we just happen to remove stuff that we very obviously don't want, like keytabs and obvious places for password storage). I did see MITRE's response and they did assign a CVE to RHEL5's implementation precisely because it does not have this warning (like RHEL6 and Fedora do). I can't disagree with their rationale for the assignment for RHEL5's version of sosreport. -- Vincent Danen / Red Hat Product Security
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Murray McAllister (May 29)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Vincent Danen (May 29)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Dolev Farhi (May 29)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Kurt Seifried (May 29)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Vincent Danen (May 30)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Dolev Farhi (May 29)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Vincent Danen (May 29)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords cve-assign (May 30)