Bugzilla – Bug 864544
VUL-0: CVE-2013-4577: grub2: grub-cfg with hashed passwords public readable
Last modified: 2014-03-06 04:35:44 UTC
CVE-2013-4577 grub-mkconfig on Debian and derivatives sets mode 444 on grub.cfg configuration files if there are no plaintext passwords in the configuration file. However, the permissions are still set world readable if the password_pbkdf2 directive includes a hashed password. References: http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4577.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4577
bugbot adjusting priority
I'm going to set the permission to 440 if there's plain password grepped in the grub.cfg. As Josef implemented the password feature for SLE12 and also yast created this password file, I think we should also check with it. Hi Josef, Could you please help to check the file permission is not global readable if contains plain text password. (And if you uses hashed password should be fine leaving it ..). Thanks.
Michael - I set password file permissions to 0755 as it is executable, but as it is run only by root, then maybe 0700 is good enough. Affected line is: https://github.com/yast/yast-bootloader/blob/master/src/lib/bootloader/grub2pwd.rb#L25
Hi Josef, Thanks for feedback. Yes I agree with you.
fix send as https://github.com/yast/yast-bootloader/pull/46 ( only related to permissions for 42_password file )
The CVE is for fixing Debain's own patch that we doesn't apply. I checked with upstream's permission settings on SLE12 and is actually more stricter. $ ls -l /boot/grub2/grub.cfg -rw------- 1 root root 6204 Mar 6 11:51 /boot/grub2/grub.cfg So close this issue as Josef has checked the implementation wouldn't have similar issue. Thanks. :)