Headline
CVE-2022-3287: Never save the Redfish passwords to a file readable by users · fwupd/fwupd@ea67685
When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file.
Permalink
Browse files
Never save the Redfish passwords to a file readable by users
When the redfish plugin automatically creates an OPERATOR user account on the BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it is chmod’ed to 0660 before writing the file with g_key_file_save_to_file().
Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with the keyfile string data. I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being used to copy permissions, but alas not.
GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666, which undoes the previous chmod().
Use g_file_set_contents_full() with the correct mode for newer GLib versions, and provide a fallback with the same semantics for older versions.
- Loading branch information
Related news
Red Hat Security Advisory 2023-7189-01 - An update for fwupd is now available for Red Hat Enterprise Linux 8.
An update for fwupd is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3287: A flaw was found in fwupd. When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file. * CVE-2022-34301: A flaw was found in CryptoPro Secure Disk bootloaders before 2022-06-01. An at...