Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-3287: Never save the Redfish passwords to a file readable by users · fwupd/fwupd@ea67685

When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file.

CVE

Permalink

Browse files

Never save the Redfish passwords to a file readable by users

When the redfish plugin automatically creates an OPERATOR user account on the BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it is chmod’ed to 0660 before writing the file with g_key_file_save_to_file().

Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with the keyfile string data. I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being used to copy permissions, but alas not.

GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666, which undoes the previous chmod().

Use g_file_set_contents_full() with the correct mode for newer GLib versions, and provide a fallback with the same semantics for older versions.

  • Loading branch information

Related news

Red Hat Security Advisory 2023-7189-01

Red Hat Security Advisory 2023-7189-01 - An update for fwupd is now available for Red Hat Enterprise Linux 8.

RHSA-2023:2487: Red Hat Security Advisory: fwupd security and bug fix update

An update for fwupd is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3287: A flaw was found in fwupd. When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file. * CVE-2022-34301: A flaw was found in CryptoPro Secure Disk bootloaders before 2022-06-01. An at...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907