Bug 1172743 – VUL-0: CVE-2020-13867: targetcli-fb: weak permissions for /etc/target (and for the backup directory and backup files)

Bug 1172743 - (CVE-2020-13867) VUL-0: CVE-2020-13867: targetcli-fb: weak permissions for /etc/target (and for the backup directory and backup files)

(CVE-2020-13867)
Summary:	VUL-0: CVE-2020-13867: targetcli-fb: weak permissions for /etc/target (and fo...

Status:	IN_PROGRESS

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/260872/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-13867:6.2:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-06-09 16:00 UTC by Wolfgang Frisch
Modified:	2022-08-08 16:28 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Flags:	lduncan: needinfo? (mli)

Attachments
RPM for SLE-15-SP2:Update x86_64 for targetcli-fb (57.01 KB, application/x-rpm) 2022-08-04 21:01 UTC, Lee Duncan	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2020-06-09 16:00:52 UTC

CVE-2020-13867

Open-iSCSI targetcli-fb through 2.1.52 has weak permissions for /etc/target (and
for the backup directory and backup files).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13867
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-13867.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13867
https://github.com/open-iscsi/targetcli-fb/pull/172

Comment 1 Wolfgang Frisch 2020-06-09 16:06:08 UTC

SUSE:SLE-12-SP2:Update   targetcli-fb   Affected
SUSE:SLE-12-SP3:Update   targetcli-fb   Affected
SUSE:SLE-15-SP1:Update   targetcli-fb   Affected
SUSE:SLE-15:Update       targetcli-fb   Affected

Comment 2 Lee Duncan 2020-06-10 14:50:59 UTC

Submitted to factory

Comment 4 Lee Duncan 2020-06-26 16:53:17 UTC

I submitted maint. req. for open-iscsi for SLE-15-SP2:Update, where it's been accepted.

Submitted to SLE-15-SP1:Update (req#221164).

Comment 6 Lee Duncan 2020-06-26 18:49:21 UTC

Submitted to SLE-15:Update, but in a reduced way, since that version of targetcli-fb does not create directories, so there is no reason to protect said directories with correct permissions.

Comment 8 Lee Duncan 2020-06-26 22:04:08 UTC

Added to SLE-12-SP3:Update.

Comment 10 Lee Duncan 2020-06-26 23:31:05 UTC

And, lastly, submitted to SLE-12-SP2

Comment 12 Lee Duncan 2020-06-29 17:37:45 UTC

reassigning back to the big guns

Comment 13 ming li 2020-07-27 08:56:22 UTC

I'm testing S:M:15574:221253, in sles15sp2 platform, after upgrading the targetcli-fb program, the targetcli command creates saveconfig.json file permission attribute is always 644. If I change the permissions of the saveconfig.json file to some other value(.e.g 755), the program will not change the permissions of the file to 600. reproducer steps:

s15sp2:/etc/target # rpm -qa|grep targetcli-fb
targetcli-fb-common-2.1.52-3.3.1.noarch
python3-targetcli-fb-2.1.52-3.3.1.noarch
python2-targetcli-fb-2.1.52-3.3.1.noarch

1.
s15sp2:/etc/target # ll
total 12
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jul 27 16:11 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr

2.
s15sp2:/etc/target # targetcli
targetcli shell version 2.1.52
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/> cd backstores/fileio
/backstores/fileio> create disk0 /tmp/disk0.img 10MB
Created fileio disk0 with size 10485760
/backstores/fileio> cd ../../
/> saveconfig
Configuration saved to /etc/target/saveconfig.json
/> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup/.
Configuration saved to /etc/target/saveconfig.json

3.
s15sp2:/etc/target # ll
total 16
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jul 27 16:12 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
-rw-r--r-- 1 root root 1815 Jul 27 16:12 saveconfig.json   <--- new file 644


s15sp2:/etc/target # chmod 755 saveconfig.json 

s15sp2:/etc/target # targetcli
targetcli shell version 2.1.52
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/> pwd
/
/> saveconfig
Last 10 configs saved in /etc/target/backup/.
Configuration saved to /etc/target/saveconfig.json
/> exit
Global pref auto_save_on_exit=true
Configuration saved to /etc/target/saveconfig.json

s15sp2:/etc/target # ll
total 16
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jul 27 16:46 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
-rwxr-xr-x 1 root root 1815 Jul 27 16:46 saveconfig.json  <--- still 755

And I also tested targetclid, which is the same result:

s15sp2:/etc # systemctl enable targetclid.socket
Created symlink /etc/systemd/system/sockets.target.wants/targetclid.socket  /usr/lib/systemd/system/targetclid.socket.

s15sp2:/etc/target # rctargetclid start

s15sp2:/etc/target # targetcli set global auto_use_daemon=true
Parameter auto_use_daemon is now 'true'.

s15sp2:/etc/target # targetcli
targetcli shell version 2.1.52
Entering targetcli interactive mode for daemonized approach.
Type 'exit' to quit.
/> saveconfig
Configuration saved to /etc/target/saveconfig.json
/> exit

s15sp2:/etc/target # ll
total 16
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jun 26 19:26 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
-rw-r--r-- 1 root root   69 Jul 27 15:50 saveconfig.json  <--- new file 644

s15sp2:/etc/target # rm -rf saveconfig.json

s15sp2:/etc/target # targetcli set global daemon_use_batch_mode=true
Parameter daemon_use_batch_mode is now 'true'.

s15sp2:/etc/target # targetcli
targetcli shell version 2.1.52
Entering targetcli batch mode for daemonized approach.
Enter multiple commands separated by newline and type 'exit' to run them all in one go.

/> saveconfig
/> exit
Configuration saved to /etc/target/saveconfig.json

s15sp2:/etc/target # ll
total 16
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jun 26 19:26 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
-rw-r--r-- 1 root root   69 Jul 27 15:55 saveconfig.json  <--- still 644

Please check the reason.

Comment 14 Swamp Workflow Management 2020-07-30 16:16:57 UTC

SUSE-SU-2020:2086-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    targetcli-fb-2.1.49-10.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    targetcli-fb-2.1.49-10.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Lee Duncan 2020-07-30 19:04:33 UTC

What version of python3-rtslib-fb do you have? You need version 2.1.73, which was submitted to SLE-15-SP3 about 3 weeks ago.

See bsc#1173257, request#221888

Comment 16 ming li 2020-07-31 07:44:35 UTC

(In reply to Lee Duncan from comment #15)
> What version of python3-rtslib-fb do you have? You need version 2.1.73,
> which was submitted to SLE-15-SP3 about 3 weeks ago.
> 
> See bsc#1173257, request#221888

The latest version of python3-rtslib-fb on sle15sp2 is 2.1.71-1.21. I see a correlation between S:M:15574:221253 and S:M:15683:221947, maybe I can combine them together for a test, I will assign myself S:M:15683:221947. Is my understanding correct?

Comment 17 Swamp Workflow Management 2020-07-31 16:12:59 UTC

SUSE-SU-2020:2101-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    targetcli-fb-2.1.52-3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    targetcli-fb-2.1.52-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Lee Duncan 2020-07-31 17:12:27 UTC

(In reply to ming li from comment #16)
> (In reply to Lee Duncan from comment #15)
> > What version of python3-rtslib-fb do you have? You need version 2.1.73,
> > which was submitted to SLE-15-SP3 about 3 weeks ago.
> > 
> > See bsc#1173257, request#221888
> 
> The latest version of python3-rtslib-fb on sle15sp2 is 2.1.71-1.21. I see a
> correlation between S:M:15574:221253 and S:M:15683:221947, maybe I can
> combine them together for a test, I will assign myself S:M:15683:221947. Is
> my understanding correct?

Yes, I believe so.

Comment 19 Swamp Workflow Management 2020-08-03 19:56:55 UTC

openSUSE-SU-2020:1141-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    targetcli-fb-2.1.49-lp151.2.10.1

Comment 20 Swamp Workflow Management 2020-08-04 04:12:56 UTC

openSUSE-SU-2020:1144-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    targetcli-fb-2.1.52-lp152.2.3.1

Comment 21 Swamp Workflow Management 2020-08-28 13:13:40 UTC

SUSE-SU-2020:2360-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    targetcli-fb-2.1.43-7.9.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Lee Duncan 2022-08-04 20:58:35 UTC

(In reply to ming li from comment #13)
> I'm testing S:M:15574:221253, in sles15sp2 platform, after upgrading the
> targetcli-fb program, the targetcli command creates saveconfig.json file
> permission attribute is always 644. If I change the permissions of the
> saveconfig.json file to some other value(.e.g 755), the program will not
> change the permissions of the file to 600. reproducer steps:
> 
> s15sp2:/etc/target # rpm -qa|grep targetcli-fb
> targetcli-fb-common-2.1.52-3.3.1.noarch
> python3-targetcli-fb-2.1.52-3.3.1.noarch
> python2-targetcli-fb-2.1.52-3.3.1.noarch
> 
> 1.
> s15sp2:/etc/target # ll
> total 12
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jul 27 16:11 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> 
> 2.
> s15sp2:/etc/target # targetcli
> targetcli shell version 2.1.52
> Copyright 2011-2013 by Datera, Inc and others.
> For help on commands, type 'help'.
> 
> /> cd backstores/fileio
> /backstores/fileio> create disk0 /tmp/disk0.img 10MB
> Created fileio disk0 with size 10485760
> /backstores/fileio> cd ../../
> /> saveconfig
> Configuration saved to /etc/target/saveconfig.json
> /> exit
> Global pref auto_save_on_exit=true
> Last 10 configs saved in /etc/target/backup/.
> Configuration saved to /etc/target/saveconfig.json
> 
> 3.
> s15sp2:/etc/target # ll
> total 16
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jul 27 16:12 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> -rw-r--r-- 1 root root 1815 Jul 27 16:12 saveconfig.json   <--- new file 644
> 
> 
> s15sp2:/etc/target # chmod 755 saveconfig.json 
> 
> s15sp2:/etc/target # targetcli
> targetcli shell version 2.1.52
> Copyright 2011-2013 by Datera, Inc and others.
> For help on commands, type 'help'.
> 
> /> pwd
> /
> /> saveconfig
> Last 10 configs saved in /etc/target/backup/.
> Configuration saved to /etc/target/saveconfig.json
> /> exit
> Global pref auto_save_on_exit=true
> Configuration saved to /etc/target/saveconfig.json
> 
> s15sp2:/etc/target # ll
> total 16
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jul 27 16:46 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> -rwxr-xr-x 1 root root 1815 Jul 27 16:46 saveconfig.json  <--- still 755
> 
> And I also tested targetclid, which is the same result:
> 
> s15sp2:/etc # systemctl enable targetclid.socket
> Created symlink /etc/systemd/system/sockets.target.wants/targetclid.socket 
> /usr/lib/systemd/system/targetclid.socket.
> 
> s15sp2:/etc/target # rctargetclid start
> 
> s15sp2:/etc/target # targetcli set global auto_use_daemon=true
> Parameter auto_use_daemon is now 'true'.
> 
> s15sp2:/etc/target # targetcli
> targetcli shell version 2.1.52
> Entering targetcli interactive mode for daemonized approach.
> Type 'exit' to quit.
> /> saveconfig
> Configuration saved to /etc/target/saveconfig.json
> /> exit
> 
> s15sp2:/etc/target # ll
> total 16
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jun 26 19:26 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> -rw-r--r-- 1 root root   69 Jul 27 15:50 saveconfig.json  <--- new file 644
> 
> s15sp2:/etc/target # rm -rf saveconfig.json
> 
> s15sp2:/etc/target # targetcli set global daemon_use_batch_mode=true
> Parameter daemon_use_batch_mode is now 'true'.
> 
> s15sp2:/etc/target # targetcli
> targetcli shell version 2.1.52
> Entering targetcli batch mode for daemonized approach.
> Enter multiple commands separated by newline and type 'exit' to run them all
> in one go.
> 
> /> saveconfig
> /> exit
> Configuration saved to /etc/target/saveconfig.json
> 
> s15sp2:/etc/target # ll
> total 16
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jun 26 19:26 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> -rw-r--r-- 1 root root   69 Jul 27 15:55 saveconfig.json  <--- still 644
> 
> Please check the reason.

Ming: apologies for letting this slip through the cracks!

I see I have the fix for this, in SLE-15-SP2, but I never submitted it for some reason. And the comments in this bug report don't show that I've updated it, either. :-/

I have the fix in home:lee_duncan:branches:SUSE:SLE-12-SP2:Update/targetcli-fb. I will attach the RPM for x86_64. Please test, though I'm pretty sure this is the correct fix. If I don't hear back from you (it's been a while) I'll go ahead and submit this.

Comment 23 Lee Duncan 2022-08-04 21:01:53 UTC

Created attachment 860619 [details]
RPM for SLE-15-SP2:Update x86_64 for targetcli-fb

This RPM should set mode 644 for saveconfig.json.

Comment 27 Lee Duncan 2022-08-08 16:28:01 UTC

Reassigning back to security.