Bugzilla – Bug 1207598
VUL-0: CVE-2022-45154: supportconfig: does not remove passwords in /etc/iscsi/iscsid.conf and /etc/target/lio_setup.sh
Last modified: 2024-06-26 12:19:17 UTC
+++ This bug was initially created as a clone of Bug #1206402 +++ Problem details: Supportconfig writes the content of /etc/iscsi/iscsid.conf to etc.txt. Some passwords are written in iscsid.conf, so supportconfig is supposed to replace the passwords with another string. However, supportconfig does not replace the following 2 passwords, node.session.auth.password_in = <password> discovery.sendtargets.auth.password_in = <password> though it replaces the following 2 passwords. node.session.auth.password = *REMOVED BY SUPPORTCONFIG* discovery.sendtargets.auth.password = *REMOVED BY SUPPORTCONFIG* Please fix the supportutils package to replace the passwords specified by "***.password_in = ". The supportutils package for SLES 12 code streams and for LTSS versions of SLES 15 also has the same problem. So please fix it for them as well. Version-Release number of selected component: SLES version (incl. Service Pack): SLES15SP4 Architecture: x86_64 Kernel Version (uname -r): 5.14.21-150400.24.21-default Related Package and Version: supportutils-3.1.21-150300.7.35.15.1 Related Middleware/Application (incl. version): Architecture/Hardware dependency: None Reproducibility: Always Step to Reproduce: 1. Uncomment the following 2 lines in /etc/iscsi/iscsid.conf. node.session.auth.password_in = password_in discovery.sendtargets.auth.password_in = password_in 2. Run the command, "supportconfig". Actual Results: Supportconfig does not replace the passwords specified by "***.password_in = ". Expected Results: Supportconfig replaces the passwords specified by "***.password_in = " with the string, *REMOVED BY SUPPORTCONFIG*, as follows. node.session.auth.password_in = *REMOVED BY SUPPORTCONFIG* discovery.sendtargets.auth.password_in = *REMOVED BY SUPPORTCONFIG* Summary of actions taken to resolve issue: Users manually remove these passwords from etc.txt after running supportconfig. Location of diagnostic data: None Business Impact: Customers may hesitate to provide a supportconfig archive because they are concerned about leakage of confidential information. This prevents providing smooth support services. Additional Info: This bug is related to bsc#1203818. The following patch can fix this bug. diff --git a/bin/supportconfig.rc b/bin/supportconfig.rc index a365479..ece3e62 100644 --- a/bin/supportconfig.rc +++ b/bin/supportconfig.rc @@ -475,6 +475,7 @@ _sanitize_file() { sed -i -e "s!\(<user_password>\).*\(</user_password>\)!\1$REPLACED\2!g;s/\(^ProxyUser[[:space:]]*=\).*/\1 $REPLACED/g" $CLEAN_FILE sed -i -e "s/\(^credentials[[:space:]]*=\).*/\1 $REPLACED/g;s/\(secret[[:space:]]*=\).*/\1 $REPLACED/g" $CLEAN_FILE sed -i -e "s/\(.*password.*}[[:space:]]*=\).*/\1 $REPLACED/g" $CLEAN_FILE + sed -i -e "s/\(.*password_in[[:space:]]*=\).*/\1 $REPLACED/g" $CLEAN_FILE }
Problem details: Supportconfig writes the content of /etc/target/lio_setup.sh to fs-iscsi.txt. In lio_setup.sh, some passwords are written as follows. echo -n <password> > /sys/kernel/config/target/iscsi/discovery_auth/password_mutual echo -n <password> > /sys/kernel/config/target/iscsi/discovery_auth/password Supportconfig is to supposed to replace the passwords with another string, but supportconfig does not replace the above passwords. Please fix the supportutils package to replace the above passwords. Version-Release number of selected component: SLES version (incl. Service Pack): SLES12SP5 Architecture: x86_64 Kernel Version (uname -r): 4.12.14-122.139-default Related Package and Version: supportutils-3.0.10-95.51.1 Related Middleware/Application (incl. version): Architecture/Hardware dependency: None Reproducibility: Always Step to Reproduce: 1. Run "yast iscsi-lio-server". 2. Go to "Global" tab and set up authentication information. 3. Select "Finish". 4. Run "supportconfig". Actual Results: Supportconfig does not replace the passwords written in /etc/target/lio_setup.sh. Expected Results: Supportconfig replaces the passwords in /etc/target/lio_setup.sh with the string, *REMOVED BY SUPPORTCONFIG*, as follows. echo -n *REMOVED BY SUPPORTCONFIG* > /sys/kernel/config/target/iscsi/discovery_auth/password_mutual echo -n *REMOVED BY SUPPORTCONFIG* > /sys/kernel/config/target/iscsi/discovery_auth/password Summary of actions taken to resolve issue: Users manually remove these passwords from fs-iscsi.txt after running supportconfig. Location of diagnostic data: None Business Impact: Customers may hesitate to provide a supportconfig archive because they are concerned about leakage of confidential information. This prevents providing smooth support services. Additional Info: This bug is related to bsc#1203818.
i allocated single CVE CVE-2022-45154 for both issues.
Fixes have been checked in upstream to github for both sles12 and sles15.
I have created maintenance requests as shown below. I am waiting on openSUSE:Factory review. > iosc mr -m "Please include SLES12 SP0-SP5 and enable LTSS" openSUSE.org:isv:SUSE:SupportTools:SLE12 supportutils SUSE:SLE-12:Update Using target project 'SUSE:Maintenance'. (release in 'SUSE:SLE-12:Update') 300272 > iosc mr -m "Please include SLES15 SP0-SP5 and enable LTSS" openSUSE.org:openSUSE:Factory supportutils SUSE:SLE-15:Update Using target project 'SUSE:Maintenance'. (release in 'SUSE:SLE-15:Update') 300273 > iosc mr -m "Please include SLES15 SP0-SP5 and enable LTSS" openSUSE.org:openSUSE:Factory supportutils SUSE:SLE-15-SP3:Update Using target project 'SUSE:Maintenance'. (release in 'SUSE:SLE-15-SP3:Update') 300274
SUSE-SU-2023:2465-1: An update that solves one vulnerability and has three fixes can now be installed. Category: security (moderate) Bug References: 1196933, 1206350, 1206608, 1207598 CVE References: CVE-2022-45154 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): supportutils-3.0.11-95.54.1 SUSE Linux Enterprise Server 12 SP5 (src): supportutils-3.0.11-95.54.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): supportutils-3.0.11-95.54.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
clearing maint-coord needinfo.
Dear Jason The fix for SLES12 was released, but it appears that the fix for SLES15 has not been released yet. Can I expect a release for the SLES15 fix as well? What is the current status of the fix for SLES15? Thank you in advance.
(In reply to Kent Konishi from comment #13) > Dear Jason > > The fix for SLES12 was released, but it appears that the fix for SLES15 has > not been released yet. > Can I expect a release for the SLES15 fix as well? > What is the current status of the fix for SLES15? > > Thank you in advance. Yes, I noticed that this week. I thought it had been released. I have resubmitted it to OpenSUSE:Factory and waiting for acceptance.
(In reply to Jason Record from comment #14) > (In reply to Kent Konishi from comment #13) > > Dear Jason > > > > The fix for SLES12 was released, but it appears that the fix for SLES15 has > > not been released yet. > > Can I expect a release for the SLES15 fix as well? > > What is the current status of the fix for SLES15? > > > > Thank you in advance. > > Yes, I noticed that this week. I thought it had been released. I have > resubmitted it to OpenSUSE:Factory and waiting for acceptance. https://build.opensuse.org/request/show/1108455
SUSE-SU-2023:3803-1: An update that solves one vulnerability, contains one feature and has 14 security fixes can now be installed. Category: security (moderate) Bug References: 1181477, 1196933, 1204942, 1205533, 1206402, 1206608, 1207543, 1207598, 1208928, 1209979, 1210015, 1210950, 1211598, 1211599, 1213127 CVE References: CVE-2022-45154 Jira References: PED-1703 Sources used: SUSE Enterprise Storage 7 (src): supportutils-3.1.26-150000.5.50.1 SUSE CaaS Platform 4.0 (src): supportutils-3.1.26-150000.5.50.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): supportutils-3.1.26-150000.5.50.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): supportutils-3.1.26-150000.5.50.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): supportutils-3.1.26-150000.5.50.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): supportutils-3.1.26-150000.5.50.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): supportutils-3.1.26-150000.5.50.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): supportutils-3.1.26-150000.5.50.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3822-1: An update that solves one vulnerability, contains one feature and has 14 security fixes can now be installed. Category: security (moderate) Bug References: 1181477, 1196933, 1204942, 1205533, 1206402, 1206608, 1207543, 1207598, 1208928, 1209979, 1210015, 1210950, 1211598, 1211599, 1213127 CVE References: CVE-2022-45154 Jira References: PED-1703 Sources used: openSUSE Leap 15.4 (src): supportutils-3.1.26-150300.7.35.21.1 openSUSE Leap 15.5 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Linux Enterprise Micro 5.3 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Linux Enterprise Micro 5.4 (src): supportutils-3.1.26-150300.7.35.21.1 Basesystem Module 15-SP4 (src): supportutils-3.1.26-150300.7.35.21.1 Basesystem Module 15-SP5 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Manager Proxy 4.2 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Manager Retail Branch Server 4.2 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Manager Server 4.2 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Enterprise Storage 7.1 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Linux Enterprise Micro 5.1 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Linux Enterprise Micro 5.2 (src): supportutils-3.1.26-150300.7.35.21.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): supportutils-3.1.26-150300.7.35.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Dear Jason I have confirmed that the required updates have been released. I would like to express my appreciation for your support. Please close this BZ, as well as other related BZs below. https://bugzilla.suse.com/show_bug.cgi?id=1206350 https://bugzilla.suse.com/show_bug.cgi?id=1206402 Thank you for your kindness.
SUSE-SU-2023:3822-2: An update that solves one vulnerability, contains one feature and has 14 security fixes can now be installed. Category: security (moderate) Bug References: 1181477, 1196933, 1204942, 1205533, 1206402, 1206608, 1207543, 1207598, 1208928, 1209979, 1210015, 1210950, 1211598, 1211599, 1213127 CVE References: CVE-2022-45154 Jira References: PED-1703 Sources used: SUSE Linux Enterprise Micro 5.5 (src): supportutils-3.1.26-150300.7.35.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.