Bug 1218728 (CVE-2024-23301)

Summary: VUL-0: CVE-2024-23301: rear: GRUB_RESCUE=Y creates world-readable initrd
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: aalzayed, andrea.mattiazzo, gabriele.sonnu, jcejka, jreuter, jsegitz, jsmeix, meissner, sascha.wessels, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: x86-64   
OS: SLES 15   
URL: https://smash.suse.de/issue/390872
Whiteboard: CVSSv3.1:SUSE:CVE-2024-23301:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1211055, 1218541    
Bug Blocks:    

Description Marcus Meissner 2024-01-11 13:22:16 UTC 
+++ This bug was initially created as a clone of Bug #1218541 +++

As found by a SUSE customer, "rear" creates a world-readable (permissions 0644) initrd when run with GRUB_RESCUE=Y. This can be an issue if the initrd contains sensitive information, otherwise only readable by root.


I requested a CVE.
Comment 1 Johannes Meixner 2024-01-12 07:06:32 UTC 
ReaR upstream fix:
https://github.com/rear/rear/pull/3123/files
Comment 2 Johannes Meixner 2024-01-12 07:11:44 UTC 
The ReaR upstream fix merge commmit
https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16
message shows an example how the ReaR recovery system
in ReaR's initrd can contain secrets when certain things
are explicitly configured by the user:
---------------------------------------------------------------
In pack/GNU/Linux/900_create_initramfs.sh call
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
to let only 'root' access the ReaR initrd because
the ReaR recovery system in the initrd can contain secrets
(not by default but when certain things are explicitly
configured by the user like SSH keys without passphrase)
---------------------------------------------------------------
Comment 4 Marcus Meissner 2024-01-13 10:45:12 UTC 
use CVE-2024-23301
Comment 17 Maintenance Automation 2024-01-18 12:30:53 UTC 
SUSE-SU-2024:0135-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218728
CVE References: CVE-2024-23301
Sources used:
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): rear27a-2.7-8.6.1
SUSE Linux Enterprise High Availability Extension 12 SP5 (src): rear27a-2.7-8.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Maintenance Automation 2024-01-18 16:30:21 UTC 
SUSE-SU-2024:0148-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218728
CVE References: CVE-2024-23301
Sources used:
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): rear23a-2.3.a-3.9.1
SUSE Linux Enterprise High Availability Extension 12 SP5 (src): rear23a-2.3.a-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Johannes Meixner 2024-01-22 07:18:32 UTC 
Fixed 'rear' in OBS Archiving and forwarded to openSUSE:Factory
------------------------------------------------------------------
# osc request accept -m "Security fix CVE-2024-23301 \
 bsc#1218728 for rear" 1140363

Result of change request state: ok
openSUSE:Factory 
Forward this submit to it? ([y]/n)y
Security fix CVE-2024-23301 bsc#1218728 for rear
 (forwarded request 1140363 from jsmeix)
New request # 1140364
------------------------------------------------------------------
Comment 25 OBSbugzilla Bot 2024-01-22 09:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1218728) was mentioned in
https://build.opensuse.org/request/show/1140364 Factory / rear
Comment 26 Johannes Meixner 2024-01-23 10:14:31 UTC 
The fix for openSUSE:Factory
https://build.opensuse.org/request/show/1140364
is accepted.
Comment 27 Maintenance Automation 2024-01-23 20:30:54 UTC 
SUSE-SU-2024:0190-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218728
CVE References: CVE-2024-23301
Sources used:
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): rear118a-1.18.a-9.3.1
SUSE Linux Enterprise High Availability Extension 12 SP5 (src): rear118a-1.18.a-9.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Maintenance Automation 2024-01-26 12:30:08 UTC 
SUSE-SU-2024:0239-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218728
CVE References: CVE-2024-23301
Sources used:
SUSE Linux Enterprise High Availability Extension 15 SP1 (src): rear23a-2.3.a-150000.9.9.1
SUSE Linux Enterprise High Availability Extension 15 SP2 (src): rear23a-2.3.a-150000.9.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Maintenance Automation 2024-01-26 16:30:02 UTC 
SUSE-SU-2024:0253-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218728
CVE References: CVE-2024-23301
Sources used:
SUSE Linux Enterprise High Availability Extension 15 SP3 (src): rear27a-2.7-150200.5.6.1
SUSE Linux Enterprise High Availability Extension 15 SP4 (src): rear27a-2.7-150200.5.6.1
SUSE Linux Enterprise High Availability Extension 15 SP2 (src): rear27a-2.7-150200.5.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Maintenance Automation 2024-01-26 16:30:29 UTC 
SUSE-SU-2024:0247-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218728
CVE References: CVE-2024-23301
Sources used:
openSUSE Leap 15.3 (src): rear23a-2.3.a-150300.21.3.1
openSUSE Leap 15.5 (src): rear23a-2.3.a-150300.21.3.1
SUSE Linux Enterprise High Availability Extension 15 SP3 (src): rear23a-2.3.a-150300.21.3.1
SUSE Linux Enterprise High Availability Extension 15 SP4 (src): rear23a-2.3.a-150300.21.3.1
SUSE Linux Enterprise High Availability Extension 15 SP5 (src): rear23a-2.3.a-150300.21.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Maintenance Automation 2024-01-31 16:30:01 UTC 
SUSE-SU-2024:0292-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218728
CVE References: CVE-2024-23301
Sources used:
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): rear1172a-1.17.2.a-5.3.1
SUSE Linux Enterprise High Availability Extension 12 SP5 (src): rear1172a-1.17.2.a-5.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Maintenance Automation 2024-01-31 16:30:03 UTC 
SUSE-SU-2024:0291-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218728
CVE References: CVE-2024-23301
Sources used:
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): rear116-1.16-15.3.1
SUSE Linux Enterprise High Availability Extension 12 SP5 (src): rear116-1.16-15.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 41 Maintenance Automation 2024-02-28 16:30:07 UTC 
SUSE-SU-2024:0657-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1202352, 1218728
CVE References: CVE-2024-23301
Sources used:
openSUSE Leap 15.5 (src): rear27a-2.7-150500.3.3.1
SUSE Linux Enterprise High Availability Extension 15 SP5 (src): rear27a-2.7-150500.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 42 Andrea Mattiazzo 2024-05-17 08:46:54 UTC 
All done, closing.