Bug 1117602 - (CVE-2018-17957) VUL-1: CVE-2018-17957: yast2-rmt: mysql password exposed in process list
(CVE-2018-17957)
VUL-1: CVE-2018-17957: yast2-rmt: mysql password exposed in process list
Status: RESOLVED FIXED
: 1118174 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:SUSE:CVE-2018-17957:3.4:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-28 09:14 UTC by Johannes Segitz
Modified: 2020-02-28 09:30 UTC (History)
13 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2018-11-28 09:14:42 UTC
yast2-rmt-1.0.4/src/lib/rmt/wizard_maria_db_page.rb:127
    RMT::Execute.on_target!(
      ['echo', 'select 1;'],
      [
        'mysql', '-u', @config['database']['username'], "-p#{@config['database']['password']}",
        '-D', @config['database']['database'], '-h', @config['database']['host']
      ]
    )

yast2-rmt-1.0.4/src/lib/rmt/wizard_maria_db_page.rb:173
    ret = RMT::Utils.run_command(
      "echo 'create database if not exists %1 character set = \"utf8\"' | mysql -u root -h %2 -p%3 2>/dev/null",
      @config['database']['database'],
      @config['database']['host'],
      @root_password
    )

yast2-rmt-1.0.4/src/lib/rmt/wizard_maria_db_page.rb:186
      ret = RMT::Utils.run_command(
        "echo 'grant all on %1.* to \"%2\"\@%3 identified by \"%4\"' | mysql -u root -h %5 -p%6 >/dev/null",
        @config['database']['database'],
        @config['database']['username'],
        @config['database']['host'],
        @config['database']['password'],
        @config['database']['host'],
        @root_password
      )

yast2-rmt-1.0.4/src/lib/rmt/maria_db/current_root_password_dialog.rb:39
    RMT::Utils.run_command(
      "echo 'show databases;' | mysql -u root -p%1 2>/dev/null",
      password
    ) == 0

While these commands run the passwords are exposed on the commandline. Please use a different way of passing the password. You can uses an option file (please create that in a secure way and ensure that you overwrite and remove it afterwards).
Comment 2 Johannes Segitz 2018-12-03 16:42:17 UTC
*** Bug 1118174 has been marked as a duplicate of this bug. ***
Comment 3 Stefan Hundhammer 2018-12-03 16:47:39 UTC
Please notice that this YaST module is maintained outside of the YaST team:

% isc maintainer -e yast2-rmt
Defined in package: SUSE:SLE-15:GA/yast2-rmt 
  bugowner of yast2-rmt : 
   tschmidt@suse.com
Comment 4 Johannes Segitz 2018-12-04 07:15:44 UTC
(In reply to Stefan Hundhammer from comment #3)
setting to correct maintainer, thank you
Comment 7 Swamp Workflow Management 2018-12-21 02:09:24 UTC
SUSE-SU-2018:4209-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1117602
CVE References: CVE-2018-17957
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    yast2-rmt-1.1.2-3.11.1
Comment 8 Karol Babioch 2018-12-21 06:05:26 UTC
Let's consider this public :-).
Comment 9 Serhii Kotov 2018-12-21 10:41:04 UTC
The code is published now. Thank you!
Comment 10 Johannes Segitz 2018-12-21 11:13:03 UTC
Please don't close security bugs, assign them to security@suse.de when you're done.

Addding needinfo to ensure you see this, feel free to remove it
Comment 11 Serhii Kotov 2018-12-21 13:02:21 UTC
Sorry, I got it now. Thanks for clarifying!
Comment 12 Andreas Stieger 2018-12-22 20:40:48 UTC
done
Comment 13 Swamp Workflow Management 2018-12-23 02:14:03 UTC
openSUSE-SU-2018:4272-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1117602
CVE References: CVE-2018-17957
Sources used:
openSUSE Leap 15.0 (src):    yast2-rmt-1.1.2-lp150.2.12.1
Comment 14 Marcus Meissner 2018-12-25 11:06:51 UTC
https://github.com/CVEProject/cvelist/pull/1399
Comment 15 Swamp Workflow Management 2019-01-04 11:40:11 UTC
This is an autogenerated message for OBS integration:
This bug (1117602) was mentioned in
https://build.opensuse.org/request/show/662765 Factory / yast2-rmt