Bug 1035912 (CVE-2017-8109) - VUL-0: CVE-2017-8109: salt: salt-ssh temporary files - insecure permissions
Summary: VUL-0: CVE-2017-8109: salt: salt-ssh temporary files - insecure permissions
Status: RESOLVED FIXED
Alias: CVE-2017-8109
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2017-8109:2.1:(AV:L/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-25 08:56 UTC by Andreas Stieger
Modified: 2017-10-25 19:15 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-04-25 08:56:56 UTC
from https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.html

ISSUE #40075: (afletch) salt-ssh temporary files - insecure permissions | refs: #40609

https://github.com/saltstack/salt/issues/40075

When salt-ssh sets up it's temporary location (eg. /var/tmp/.root_xxxx_salt), the files contained (eg. /var/tmp/.root_xxxx_salt/running_data/var/cache/salt/minion/files) are 0644. Some of these files may well contain sensitive data such as private keys (which when installed will be set to 0600 by the state).

The permissions may be inherited from the salt-master, but if these files come from a backend such as gitfs, they seem to have 0644 in the master gitfs cache (which in itself is a problem!)

From https://github.com/saltstack/salt/issues/40075 

... changes the behavior of the fileserver which used to mirror permissions from the salt master to the minion cache when caching files.

Before this change, the file permissions from the fileserver were mirrored to the minion file cache.

Now the cache is set to 600, and we lookup the file permissions at the time of placing the file down on the filesystem.

https://github.com/saltstack/salt/commit/8492cef7a5c8871a3978ffc2f6e48b3b960e0151
Comment 3 Marcus Meissner 2017-04-25 14:28:56 UTC
I have requested a CVE from Mitre.

This can be fixed in the 2016.11.4 feature update, but please reference this bug and the CVE there.
Comment 5 Swamp Workflow Management 2017-06-16 16:12:46 UTC
SUSE-SU-2017:1581-1: An update that solves two vulnerabilities and has 17 fixes is now available.

Category: security (moderate)
Bug References: 1011800,1012999,1017078,1020831,1022562,1025896,1027240,1027722,1030009,1030073,1032931,1035912,1035914,1036125,1038855,1039370,1040584,1040886,1043111
CVE References: CVE-2017-5200,CVE-2017-8109
Sources used:
SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (src):    salt-2016.11.4-42.2
SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (src):    salt-2016.11.4-42.2
Comment 6 Swamp Workflow Management 2017-06-16 16:15:21 UTC
SUSE-SU-2017:1582-1: An update that solves two vulnerabilities and has 17 fixes is now available.

Category: security (moderate)
Bug References: 1011800,1012999,1017078,1020831,1022562,1025896,1027240,1027722,1030009,1030073,1032931,1035912,1035914,1036125,1038855,1039370,1040584,1040886,1043111
CVE References: CVE-2017-5200,CVE-2017-8109
Sources used:
SUSE Manager Tools 12 (src):    salt-2016.11.4-45.2
SUSE Manager Server 3.0 (src):    salt-2016.11.4-45.2
SUSE Manager Proxy 3.0 (src):    salt-2016.11.4-45.2
SUSE Linux Enterprise Point of Sale 12-SP2 (src):    salt-2016.11.4-45.2
SUSE Linux Enterprise Module for Advanced Systems Management 12 (src):    salt-2016.11.4-45.2
SUSE Enterprise Storage 4 (src):    salt-2016.11.4-45.2
SUSE Enterprise Storage 3 (src):    salt-2016.11.4-45.2
OpenStack Cloud Magnum Orchestration 7 (src):    salt-2016.11.4-45.2
Comment 7 Marcus Meissner 2017-10-25 19:15:29 UTC
released