Bug 1172743 - (CVE-2020-13867) VUL-0: CVE-2020-13867: targetcli-fb: weak permissions for /etc/target (and for the backup directory and backup files)
(CVE-2020-13867)
VUL-0: CVE-2020-13867: targetcli-fb: weak permissions for /etc/target (and fo...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/260872/
CVSSv3.1:SUSE:CVE-2020-13867:6.2:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-09 16:00 UTC by Wolfgang Frisch
Modified: 2022-08-08 16:28 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
lduncan: needinfo? (mli)


Attachments
RPM for SLE-15-SP2:Update x86_64 for targetcli-fb (57.01 KB, application/x-rpm)
2022-08-04 21:01 UTC, Lee Duncan
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-06-09 16:00:52 UTC
CVE-2020-13867

Open-iSCSI targetcli-fb through 2.1.52 has weak permissions for /etc/target (and
for the backup directory and backup files).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13867
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-13867.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13867
https://github.com/open-iscsi/targetcli-fb/pull/172
Comment 1 Wolfgang Frisch 2020-06-09 16:06:08 UTC
SUSE:SLE-12-SP2:Update   targetcli-fb   Affected
SUSE:SLE-12-SP3:Update   targetcli-fb   Affected
SUSE:SLE-15-SP1:Update   targetcli-fb   Affected
SUSE:SLE-15:Update       targetcli-fb   Affected
Comment 2 Lee Duncan 2020-06-10 14:50:59 UTC
Submitted to factory
Comment 4 Lee Duncan 2020-06-26 16:53:17 UTC
I submitted maint. req. for open-iscsi for SLE-15-SP2:Update, where it's been accepted.

Submitted to SLE-15-SP1:Update (req#221164).
Comment 6 Lee Duncan 2020-06-26 18:49:21 UTC
Submitted to SLE-15:Update, but in a reduced way, since that version of targetcli-fb does not create directories, so there is no reason to protect said directories with correct permissions.
Comment 8 Lee Duncan 2020-06-26 22:04:08 UTC
Added to SLE-12-SP3:Update.
Comment 10 Lee Duncan 2020-06-26 23:31:05 UTC
And, lastly, submitted to SLE-12-SP2
Comment 12 Lee Duncan 2020-06-29 17:37:45 UTC
reassigning back to the big guns
Comment 13 ming li 2020-07-27 08:56:22 UTC
I'm testing S:M:15574:221253, in sles15sp2 platform, after upgrading the targetcli-fb program, the targetcli command creates saveconfig.json file permission attribute is always 644. If I change the permissions of the saveconfig.json file to some other value(.e.g 755), the program will not change the permissions of the file to 600. reproducer steps:

s15sp2:/etc/target # rpm -qa|grep targetcli-fb
targetcli-fb-common-2.1.52-3.3.1.noarch
python3-targetcli-fb-2.1.52-3.3.1.noarch
python2-targetcli-fb-2.1.52-3.3.1.noarch

1.
s15sp2:/etc/target # ll
total 12
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jul 27 16:11 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr

2.
s15sp2:/etc/target # targetcli
targetcli shell version 2.1.52
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/> cd backstores/fileio
/backstores/fileio> create disk0 /tmp/disk0.img 10MB
Created fileio disk0 with size 10485760
/backstores/fileio> cd ../../
/> saveconfig
Configuration saved to /etc/target/saveconfig.json
/> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup/.
Configuration saved to /etc/target/saveconfig.json

3.
s15sp2:/etc/target # ll
total 16
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jul 27 16:12 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
-rw-r--r-- 1 root root 1815 Jul 27 16:12 saveconfig.json   <--- new file 644


s15sp2:/etc/target # chmod 755 saveconfig.json 

s15sp2:/etc/target # targetcli
targetcli shell version 2.1.52
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/> pwd
/
/> saveconfig
Last 10 configs saved in /etc/target/backup/.
Configuration saved to /etc/target/saveconfig.json
/> exit
Global pref auto_save_on_exit=true
Configuration saved to /etc/target/saveconfig.json

s15sp2:/etc/target # ll
total 16
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jul 27 16:46 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
-rwxr-xr-x 1 root root 1815 Jul 27 16:46 saveconfig.json  <--- still 755

And I also tested targetclid, which is the same result:

s15sp2:/etc # systemctl enable targetclid.socket
Created symlink /etc/systemd/system/sockets.target.wants/targetclid.socket  /usr/lib/systemd/system/targetclid.socket.

s15sp2:/etc/target # rctargetclid start

s15sp2:/etc/target # targetcli set global auto_use_daemon=true
Parameter auto_use_daemon is now 'true'.

s15sp2:/etc/target # targetcli
targetcli shell version 2.1.52
Entering targetcli interactive mode for daemonized approach.
Type 'exit' to quit.
/> saveconfig
Configuration saved to /etc/target/saveconfig.json
/> exit

s15sp2:/etc/target # ll
total 16
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jun 26 19:26 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
-rw-r--r-- 1 root root   69 Jul 27 15:50 saveconfig.json  <--- new file 644

s15sp2:/etc/target # rm -rf saveconfig.json

s15sp2:/etc/target # targetcli set global daemon_use_batch_mode=true
Parameter daemon_use_batch_mode is now 'true'.

s15sp2:/etc/target # targetcli
targetcli shell version 2.1.52
Entering targetcli batch mode for daemonized approach.
Enter multiple commands separated by newline and type 'exit' to run them all in one go.

/> saveconfig
/> exit
Configuration saved to /etc/target/saveconfig.json

s15sp2:/etc/target # ll
total 16
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jun 26 19:26 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
-rw-r--r-- 1 root root   69 Jul 27 15:55 saveconfig.json  <--- still 644

Please check the reason.
Comment 14 Swamp Workflow Management 2020-07-30 16:16:57 UTC
SUSE-SU-2020:2086-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    targetcli-fb-2.1.49-10.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    targetcli-fb-2.1.49-10.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Lee Duncan 2020-07-30 19:04:33 UTC
What version of python3-rtslib-fb do you have? You need version 2.1.73, which was submitted to SLE-15-SP3 about 3 weeks ago.

See bsc#1173257, request#221888
Comment 16 ming li 2020-07-31 07:44:35 UTC
(In reply to Lee Duncan from comment #15)
> What version of python3-rtslib-fb do you have? You need version 2.1.73,
> which was submitted to SLE-15-SP3 about 3 weeks ago.
> 
> See bsc#1173257, request#221888

The latest version of python3-rtslib-fb on sle15sp2 is 2.1.71-1.21. I see a correlation between S:M:15574:221253 and S:M:15683:221947, maybe I can combine them together for a test, I will assign myself S:M:15683:221947. Is my understanding correct?
Comment 17 Swamp Workflow Management 2020-07-31 16:12:59 UTC
SUSE-SU-2020:2101-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    targetcli-fb-2.1.52-3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    targetcli-fb-2.1.52-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Lee Duncan 2020-07-31 17:12:27 UTC
(In reply to ming li from comment #16)
> (In reply to Lee Duncan from comment #15)
> > What version of python3-rtslib-fb do you have? You need version 2.1.73,
> > which was submitted to SLE-15-SP3 about 3 weeks ago.
> > 
> > See bsc#1173257, request#221888
> 
> The latest version of python3-rtslib-fb on sle15sp2 is 2.1.71-1.21. I see a
> correlation between S:M:15574:221253 and S:M:15683:221947, maybe I can
> combine them together for a test, I will assign myself S:M:15683:221947. Is
> my understanding correct?

Yes, I believe so.
Comment 19 Swamp Workflow Management 2020-08-03 19:56:55 UTC
openSUSE-SU-2020:1141-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    targetcli-fb-2.1.49-lp151.2.10.1
Comment 20 Swamp Workflow Management 2020-08-04 04:12:56 UTC
openSUSE-SU-2020:1144-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    targetcli-fb-2.1.52-lp152.2.3.1
Comment 21 Swamp Workflow Management 2020-08-28 13:13:40 UTC
SUSE-SU-2020:2360-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    targetcli-fb-2.1.43-7.9.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Lee Duncan 2022-08-04 20:58:35 UTC
(In reply to ming li from comment #13)
> I'm testing S:M:15574:221253, in sles15sp2 platform, after upgrading the
> targetcli-fb program, the targetcli command creates saveconfig.json file
> permission attribute is always 644. If I change the permissions of the
> saveconfig.json file to some other value(.e.g 755), the program will not
> change the permissions of the file to 600. reproducer steps:
> 
> s15sp2:/etc/target # rpm -qa|grep targetcli-fb
> targetcli-fb-common-2.1.52-3.3.1.noarch
> python3-targetcli-fb-2.1.52-3.3.1.noarch
> python2-targetcli-fb-2.1.52-3.3.1.noarch
> 
> 1.
> s15sp2:/etc/target # ll
> total 12
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jul 27 16:11 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> 
> 2.
> s15sp2:/etc/target # targetcli
> targetcli shell version 2.1.52
> Copyright 2011-2013 by Datera, Inc and others.
> For help on commands, type 'help'.
> 
> /> cd backstores/fileio
> /backstores/fileio> create disk0 /tmp/disk0.img 10MB
> Created fileio disk0 with size 10485760
> /backstores/fileio> cd ../../
> /> saveconfig
> Configuration saved to /etc/target/saveconfig.json
> /> exit
> Global pref auto_save_on_exit=true
> Last 10 configs saved in /etc/target/backup/.
> Configuration saved to /etc/target/saveconfig.json
> 
> 3.
> s15sp2:/etc/target # ll
> total 16
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jul 27 16:12 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> -rw-r--r-- 1 root root 1815 Jul 27 16:12 saveconfig.json   <--- new file 644
> 
> 
> s15sp2:/etc/target # chmod 755 saveconfig.json 
> 
> s15sp2:/etc/target # targetcli
> targetcli shell version 2.1.52
> Copyright 2011-2013 by Datera, Inc and others.
> For help on commands, type 'help'.
> 
> /> pwd
> /
> /> saveconfig
> Last 10 configs saved in /etc/target/backup/.
> Configuration saved to /etc/target/saveconfig.json
> /> exit
> Global pref auto_save_on_exit=true
> Configuration saved to /etc/target/saveconfig.json
> 
> s15sp2:/etc/target # ll
> total 16
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jul 27 16:46 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> -rwxr-xr-x 1 root root 1815 Jul 27 16:46 saveconfig.json  <--- still 755
> 
> And I also tested targetclid, which is the same result:
> 
> s15sp2:/etc # systemctl enable targetclid.socket
> Created symlink /etc/systemd/system/sockets.target.wants/targetclid.socket 
> /usr/lib/systemd/system/targetclid.socket.
> 
> s15sp2:/etc/target # rctargetclid start
> 
> s15sp2:/etc/target # targetcli set global auto_use_daemon=true
> Parameter auto_use_daemon is now 'true'.
> 
> s15sp2:/etc/target # targetcli
> targetcli shell version 2.1.52
> Entering targetcli interactive mode for daemonized approach.
> Type 'exit' to quit.
> /> saveconfig
> Configuration saved to /etc/target/saveconfig.json
> /> exit
> 
> s15sp2:/etc/target # ll
> total 16
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jun 26 19:26 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> -rw-r--r-- 1 root root   69 Jul 27 15:50 saveconfig.json  <--- new file 644
> 
> s15sp2:/etc/target # rm -rf saveconfig.json
> 
> s15sp2:/etc/target # targetcli set global daemon_use_batch_mode=true
> Parameter daemon_use_batch_mode is now 'true'.
> 
> s15sp2:/etc/target # targetcli
> targetcli shell version 2.1.52
> Entering targetcli batch mode for daemonized approach.
> Enter multiple commands separated by newline and type 'exit' to run them all
> in one go.
> 
> /> saveconfig
> /> exit
> Configuration saved to /etc/target/saveconfig.json
> 
> s15sp2:/etc/target # ll
> total 16
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jun 26 19:26 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> -rw-r--r-- 1 root root   69 Jul 27 15:55 saveconfig.json  <--- still 644
> 
> Please check the reason.

Ming: apologies for letting this slip through the cracks!

I see I have the fix for this, in SLE-15-SP2, but I never submitted it for some reason. And the comments in this bug report don't show that I've updated it, either. :-/

I have the fix in home:lee_duncan:branches:SUSE:SLE-12-SP2:Update/targetcli-fb. I will attach the RPM for x86_64. Please test, though I'm pretty sure this is the correct fix. If I don't hear back from you (it's been a while) I'll go ahead and submit this.
Comment 23 Lee Duncan 2022-08-04 21:01:53 UTC
Created attachment 860619 [details]
RPM for SLE-15-SP2:Update x86_64 for targetcli-fb

This RPM should set mode 644 for saveconfig.json.
Comment 27 Lee Duncan 2022-08-08 16:28:01 UTC
Reassigning back to security.