Bug 1194005 - (CVE-2022-23952) VUL-0: CVE-2022-23952: keylime: World-Readable keylime.conf Contains Potentially Sensitive Data
VUL-0: CVE-2022-23952: keylime: World-Readable keylime.conf Contains Potentia...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
Blocks: 1191739
  Show dependency treegraph
Reported: 2021-12-22 11:14 UTC by Matthias Gerstner
Modified: 2022-02-18 09:53 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2021-12-22 11:14:00 UTC
This bug is to keep track of keylime review report item 5.a:

 ### a) World-Readable keylime.conf Contains Potentially Sensitive Data
 The configuration `/etc/keylime.conf` is installed world-readable:
     $ ls -l /etc/keylime.conf
     -rw-r--r-- 1 root root 26770 Dec 16 14:54 /etc/keylime.conf
 This is the case for installations performed manually via the provided
 `installer.sh` script as well as for the RPM packaging found in both openSUSE
 Tumbleweed and Fedora 35 Linux distributions. Further distributions might be
 `keylime.conf` contains a lot of information, some of it sensitive like the
 TPM ownership password (`tpm_ownerpassword`), TLS certificate private key
 passwords (`private_key_pw`, `registrar_private_key_pw`) or the database
 password for the registrar (`database_password`). Thus this is a local
 information leak, because arbitrary local users can obtain these passwords
 from the configuration file.
 NOTE: Alberto (in CC), our SUSE packager, already fixed the permission of the
 file for openSUSE Tumbleweed in the meantime.
 My recommendation is to make this file only accessible to _root_ and adjust
 all installation routines and possibly documentation. Affected distributors
 should be notified about this. The Keylime code could perform a sanity check
 of the permissions of the configuration file before reading it in.
Comment 1 Matthias Gerstner 2022-01-26 09:33:52 UTC
Upstream has confirmed the issue and has assigned CVE-2022-23952.
Comment 3 Matthias Gerstner 2022-01-28 09:36:27 UTC
the issue is public now via the following security advisory:

Comment 4 Gianluca Gabrielli 2022-02-18 09:53:14 UTC
Fixed in version 6.3.0 and both SLE-15-SP4 and Factory are updated.