1172743 – (CVE-2020-13867) VUL-0: CVE-2020-13867: targetcli-fb: weak permissions for /etc/target (and for the backup directory and backup files)

Bug 1172743 (CVE-2020-13867) - VUL-0: CVE-2020-13867: targetcli-fb: weak permissions for /etc/target (and for the backup directory and backup files)

Summary: VUL-0: CVE-2020-13867: targetcli-fb: weak permissions for /etc/target (and fo...

Status:	RESOLVED FIXED

Alias:	CVE-2020-13867

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/260872/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-13867:6.2:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2020-06-09 16:00 UTC by Wolfgang Frisch
Modified:	2024-07-26 10:19 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Flags:	lduncan: needinfo? (mli)

Attachments
RPM for SLE-15-SP2:Update x86_64 for targetcli-fb (57.01 KB, application/x-rpm) 2022-08-04 21:01 UTC, Lee Duncan	Details
Test diffs for fixing this issue. (1.02 KB, patch) 2023-04-24 17:32 UTC, Lee Duncan	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2020-06-09 16:00:52 UTC

CVE-2020-13867

Open-iSCSI targetcli-fb through 2.1.52 has weak permissions for /etc/target (and
for the backup directory and backup files).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13867
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-13867.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13867
https://github.com/open-iscsi/targetcli-fb/pull/172

Comment 1 Wolfgang Frisch 2020-06-09 16:06:08 UTC

SUSE:SLE-12-SP2:Update   targetcli-fb   Affected
SUSE:SLE-12-SP3:Update   targetcli-fb   Affected
SUSE:SLE-15-SP1:Update   targetcli-fb   Affected
SUSE:SLE-15:Update       targetcli-fb   Affected

Comment 2 Lee Duncan 2020-06-10 14:50:59 UTC

Submitted to factory

Comment 4 Lee Duncan 2020-06-26 16:53:17 UTC

I submitted maint. req. for open-iscsi for SLE-15-SP2:Update, where it's been accepted.

Submitted to SLE-15-SP1:Update (req#221164).

Comment 6 Lee Duncan 2020-06-26 18:49:21 UTC

Submitted to SLE-15:Update, but in a reduced way, since that version of targetcli-fb does not create directories, so there is no reason to protect said directories with correct permissions.

Comment 8 Lee Duncan 2020-06-26 22:04:08 UTC

Added to SLE-12-SP3:Update.

Comment 10 Lee Duncan 2020-06-26 23:31:05 UTC

And, lastly, submitted to SLE-12-SP2

Comment 12 Lee Duncan 2020-06-29 17:37:45 UTC

reassigning back to the big guns

Comment 13 ming li 2020-07-27 08:56:22 UTC

I'm testing S:M:15574:221253, in sles15sp2 platform, after upgrading the targetcli-fb program, the targetcli command creates saveconfig.json file permission attribute is always 644. If I change the permissions of the saveconfig.json file to some other value(.e.g 755), the program will not change the permissions of the file to 600. reproducer steps:

s15sp2:/etc/target # rpm -qa|grep targetcli-fb
targetcli-fb-common-2.1.52-3.3.1.noarch
python3-targetcli-fb-2.1.52-3.3.1.noarch
python2-targetcli-fb-2.1.52-3.3.1.noarch

1.
s15sp2:/etc/target # ll
total 12
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jul 27 16:11 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr

2.
s15sp2:/etc/target # targetcli
targetcli shell version 2.1.52
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/> cd backstores/fileio
/backstores/fileio> create disk0 /tmp/disk0.img 10MB
Created fileio disk0 with size 10485760
/backstores/fileio> cd ../../
/> saveconfig
Configuration saved to /etc/target/saveconfig.json
/> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup/.
Configuration saved to /etc/target/saveconfig.json

3.
s15sp2:/etc/target # ll
total 16
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jul 27 16:12 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
-rw-r--r-- 1 root root 1815 Jul 27 16:12 saveconfig.json   <--- new file 644


s15sp2:/etc/target # chmod 755 saveconfig.json 

s15sp2:/etc/target # targetcli
targetcli shell version 2.1.52
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/> pwd
/
/> saveconfig
Last 10 configs saved in /etc/target/backup/.
Configuration saved to /etc/target/saveconfig.json
/> exit
Global pref auto_save_on_exit=true
Configuration saved to /etc/target/saveconfig.json

s15sp2:/etc/target # ll
total 16
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jul 27 16:46 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
-rwxr-xr-x 1 root root 1815 Jul 27 16:46 saveconfig.json  <--- still 755

And I also tested targetclid, which is the same result:

s15sp2:/etc # systemctl enable targetclid.socket
Created symlink /etc/systemd/system/sockets.target.wants/targetclid.socket  /usr/lib/systemd/system/targetclid.socket.

s15sp2:/etc/target # rctargetclid start

s15sp2:/etc/target # targetcli set global auto_use_daemon=true
Parameter auto_use_daemon is now 'true'.

s15sp2:/etc/target # targetcli
targetcli shell version 2.1.52
Entering targetcli interactive mode for daemonized approach.
Type 'exit' to quit.
/> saveconfig
Configuration saved to /etc/target/saveconfig.json
/> exit

s15sp2:/etc/target # ll
total 16
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jun 26 19:26 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
-rw-r--r-- 1 root root   69 Jul 27 15:50 saveconfig.json  <--- new file 644

s15sp2:/etc/target # rm -rf saveconfig.json

s15sp2:/etc/target # targetcli set global daemon_use_batch_mode=true
Parameter daemon_use_batch_mode is now 'true'.

s15sp2:/etc/target # targetcli
targetcli shell version 2.1.52
Entering targetcli batch mode for daemonized approach.
Enter multiple commands separated by newline and type 'exit' to run them all in one go.

/> saveconfig
/> exit
Configuration saved to /etc/target/saveconfig.json

s15sp2:/etc/target # ll
total 16
drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
drw------- 2 root root 4096 Jun 26 19:26 backup
drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
-rw-r--r-- 1 root root   69 Jul 27 15:55 saveconfig.json  <--- still 644

Please check the reason.

Comment 14 Swamp Workflow Management 2020-07-30 16:16:57 UTC

SUSE-SU-2020:2086-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    targetcli-fb-2.1.49-10.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    targetcli-fb-2.1.49-10.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Lee Duncan 2020-07-30 19:04:33 UTC

What version of python3-rtslib-fb do you have? You need version 2.1.73, which was submitted to SLE-15-SP3 about 3 weeks ago.

See bsc#1173257, request#221888

Comment 16 ming li 2020-07-31 07:44:35 UTC

(In reply to Lee Duncan from comment #15)
> What version of python3-rtslib-fb do you have? You need version 2.1.73,
> which was submitted to SLE-15-SP3 about 3 weeks ago.
> 
> See bsc#1173257, request#221888

The latest version of python3-rtslib-fb on sle15sp2 is 2.1.71-1.21. I see a correlation between S:M:15574:221253 and S:M:15683:221947, maybe I can combine them together for a test, I will assign myself S:M:15683:221947. Is my understanding correct?

Comment 17 Swamp Workflow Management 2020-07-31 16:12:59 UTC

SUSE-SU-2020:2101-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    targetcli-fb-2.1.52-3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    targetcli-fb-2.1.52-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Lee Duncan 2020-07-31 17:12:27 UTC

(In reply to ming li from comment #16)
> (In reply to Lee Duncan from comment #15)
> > What version of python3-rtslib-fb do you have? You need version 2.1.73,
> > which was submitted to SLE-15-SP3 about 3 weeks ago.
> > 
> > See bsc#1173257, request#221888
> 
> The latest version of python3-rtslib-fb on sle15sp2 is 2.1.71-1.21. I see a
> correlation between S:M:15574:221253 and S:M:15683:221947, maybe I can
> combine them together for a test, I will assign myself S:M:15683:221947. Is
> my understanding correct?

Yes, I believe so.

Comment 19 Swamp Workflow Management 2020-08-03 19:56:55 UTC

openSUSE-SU-2020:1141-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    targetcli-fb-2.1.49-lp151.2.10.1

Comment 20 Swamp Workflow Management 2020-08-04 04:12:56 UTC

openSUSE-SU-2020:1144-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    targetcli-fb-2.1.52-lp152.2.3.1

Comment 21 Swamp Workflow Management 2020-08-28 13:13:40 UTC

SUSE-SU-2020:2360-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1172743
CVE References: CVE-2020-13867
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    targetcli-fb-2.1.43-7.9.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Lee Duncan 2022-08-04 20:58:35 UTC

(In reply to ming li from comment #13)
> I'm testing S:M:15574:221253, in sles15sp2 platform, after upgrading the
> targetcli-fb program, the targetcli command creates saveconfig.json file
> permission attribute is always 644. If I change the permissions of the
> saveconfig.json file to some other value(.e.g 755), the program will not
> change the permissions of the file to 600. reproducer steps:
> 
> s15sp2:/etc/target # rpm -qa|grep targetcli-fb
> targetcli-fb-common-2.1.52-3.3.1.noarch
> python3-targetcli-fb-2.1.52-3.3.1.noarch
> python2-targetcli-fb-2.1.52-3.3.1.noarch
> 
> 1.
> s15sp2:/etc/target # ll
> total 12
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jul 27 16:11 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> 
> 2.
> s15sp2:/etc/target # targetcli
> targetcli shell version 2.1.52
> Copyright 2011-2013 by Datera, Inc and others.
> For help on commands, type 'help'.
> 
> /> cd backstores/fileio
> /backstores/fileio> create disk0 /tmp/disk0.img 10MB
> Created fileio disk0 with size 10485760
> /backstores/fileio> cd ../../
> /> saveconfig
> Configuration saved to /etc/target/saveconfig.json
> /> exit
> Global pref auto_save_on_exit=true
> Last 10 configs saved in /etc/target/backup/.
> Configuration saved to /etc/target/saveconfig.json
> 
> 3.
> s15sp2:/etc/target # ll
> total 16
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jul 27 16:12 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> -rw-r--r-- 1 root root 1815 Jul 27 16:12 saveconfig.json   <--- new file 644
> 
> 
> s15sp2:/etc/target # chmod 755 saveconfig.json 
> 
> s15sp2:/etc/target # targetcli
> targetcli shell version 2.1.52
> Copyright 2011-2013 by Datera, Inc and others.
> For help on commands, type 'help'.
> 
> /> pwd
> /
> /> saveconfig
> Last 10 configs saved in /etc/target/backup/.
> Configuration saved to /etc/target/saveconfig.json
> /> exit
> Global pref auto_save_on_exit=true
> Configuration saved to /etc/target/saveconfig.json
> 
> s15sp2:/etc/target # ll
> total 16
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jul 27 16:46 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> -rwxr-xr-x 1 root root 1815 Jul 27 16:46 saveconfig.json  <--- still 755
> 
> And I also tested targetclid, which is the same result:
> 
> s15sp2:/etc # systemctl enable targetclid.socket
> Created symlink /etc/systemd/system/sockets.target.wants/targetclid.socket 
> /usr/lib/systemd/system/targetclid.socket.
> 
> s15sp2:/etc/target # rctargetclid start
> 
> s15sp2:/etc/target # targetcli set global auto_use_daemon=true
> Parameter auto_use_daemon is now 'true'.
> 
> s15sp2:/etc/target # targetcli
> targetcli shell version 2.1.52
> Entering targetcli interactive mode for daemonized approach.
> Type 'exit' to quit.
> /> saveconfig
> Configuration saved to /etc/target/saveconfig.json
> /> exit
> 
> s15sp2:/etc/target # ll
> total 16
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jun 26 19:26 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> -rw-r--r-- 1 root root   69 Jul 27 15:50 saveconfig.json  <--- new file 644
> 
> s15sp2:/etc/target # rm -rf saveconfig.json
> 
> s15sp2:/etc/target # targetcli set global daemon_use_batch_mode=true
> Parameter daemon_use_batch_mode is now 'true'.
> 
> s15sp2:/etc/target # targetcli
> targetcli shell version 2.1.52
> Entering targetcli batch mode for daemonized approach.
> Enter multiple commands separated by newline and type 'exit' to run them all
> in one go.
> 
> /> saveconfig
> /> exit
> Configuration saved to /etc/target/saveconfig.json
> 
> s15sp2:/etc/target # ll
> total 16
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 alua
> drw------- 2 root root 4096 Jun 26 19:26 backup
> drwxr-xr-x 2 root root 4096 Jun  6 09:16 pr
> -rw-r--r-- 1 root root   69 Jul 27 15:55 saveconfig.json  <--- still 644
> 
> Please check the reason.

Ming: apologies for letting this slip through the cracks!

I see I have the fix for this, in SLE-15-SP2, but I never submitted it for some reason. And the comments in this bug report don't show that I've updated it, either. :-/

I have the fix in home:lee_duncan:branches:SUSE:SLE-12-SP2:Update/targetcli-fb. I will attach the RPM for x86_64. Please test, though I'm pretty sure this is the correct fix. If I don't hear back from you (it's been a while) I'll go ahead and submit this.

Comment 23 Lee Duncan 2022-08-04 21:01:53 UTC

Created attachment 860619 [details]
RPM for SLE-15-SP2:Update x86_64 for targetcli-fb

This RPM should set mode 644 for saveconfig.json.

Comment 27 Lee Duncan 2022-08-08 16:28:01 UTC

Reassigning back to security.

Comment 28 Reinier Post 2023-04-24 16:54:56 UTC

I'm not sure how to report this, but today, on our SUSE Linux Enterprise Server 15 SP3 (on which we run Ceph) I installed the targetcli-fb (package python3-targetcli-fb-2.1.54-3.3.1.noarch) and issued commands such as:

  sudo targetcli saveconfig /tmp/targetcli.conf
  sudo targetcli saveconfig ~/targetcli.json
  sudo targetcli saveconfig /dev/stdout | tee ~/targetcli.json

The output was fine, but the system started to behave very strangely afterwards.

The cause: targetcli removes r and x permissions from the parent directory (/tmp, ~, and /dev, respectively)!

I think the issue is in /usr/lib/python3.6/site-packages/targetcli/ui_root.py, lines 98-116:

  def _create_dir(self, dirname):
        '''
        create directory with permissions 0o600 set
        if directory already exists, set right perms
        '''
        mode = stat.S_IRUSR | stat.S_IWUSR # 0o600
        if not os.path.exists(dirname):
            umask = 0o777 ^ mode  # Prevents always downgrading umask to 0
            umask_original = os.umask(umask)
            try:
                os.makedirs(dirname, mode)
            except OSError as exe:
                raise ExecutionError("Cannot create directory [%s] %s."
                                     % (dirname, exe.strerror))
            finally:
                os.umask(umask_original)
        else:
            if (os.stat(dirname).st_mode & 0o777) != mode:
                os.chmod(dirname, mode)

Clearly, dirname isn't always what the latest author assumed.

I'm assuming (but don't know how to verify) that this bug was introduced as part of this attempt to fix CVE-2020-13867: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/6BPXIASA4V6DSLONENRUIASAHPYZVW33/

Please try again.

Comment 29 Lee Duncan 2023-04-24 17:32:09 UTC

Created attachment 866545 [details]
Test diffs for fixing this issue.


Hi:

I can submit an update upstream, but can you test it first, just for a 2nd set of eyes? I tested it locally.

You will have to edit /usr/lib/python3.6/site-packages/targetcli/ui_root.py, so save a copy of it before you do. (I could also supply an RPM, if you prefer.) I'm pretty sure my changes are functionally correct, i.e. it now skips setting the mode of an existing directory unless it's /etc/target.

Personally, I dislike it setting the mode of any existing target -- isn't that the job of the sysadm? But that's just me.

I will submit this upstream (assuming it works for you), then it can make it's way into SUSE Linux.

Comment 30 Lee Duncan 2023-04-24 17:41:02 UTC

Note: in anticipation of this working for you (and since I tested it), I submitted a pull request upstream. I assume it will take them a bit to get to it.

See https://github.com/open-iscsi/targetcli-fb/pull/198

Comment 31 Lee Duncan 2023-04-24 17:41:12 UTC

Taking this bug.

Comment 32 Lee Duncan 2023-04-25 17:24:57 UTC

Changes for this submitted for Factory, since I haven't heard back from upstream yet.

Comment 33 Reinier Post 2023-04-25 18:18:06 UTC

I'm in awe at the speed at which this has been addressed.

I just tested on SUSE Linux Enterprise Server 15 SP4 (which our test servers run) and indeed, it fixes the issue.

Thanks a lot!

Comment 35 Andrea Mattiazzo 2024-07-26 10:19:07 UTC

All done, closing.