Skip to content

World-readable /etc/shadow, /etc/shadow-, /etc/gshadow, /etc/gshadow-

Moderate
travier published GHSA-2m76-cwhg-7wv6 Apr 9, 2024

Package

Fedora Atomic Desktops (Fedora)

Affected versions

39 and later

Patched versions

39.20240410.1
Fedora CoreOS next (Fedora)
38.20230902.1.1 and later
40.20240408.1.0
Fedora CoreOS stable (Fedora)
38.20230902.3.0 and later
39.20240322.3.1
Fedora CoreOS testing (Fedora)
38.20230902.2.1 and later
39.20240407.2.0
Fedora IoT (Fedora)
39 and later
None

Description

Impact

The /etc/shadow, /etc/shadow-, /etc/gshadow and /etc/gshadow- files in a default build have the world-readable bit set.

This only impacts commits built with rpm-ostree starting with v2023.6.

This only impacts new installation and not updated systems thus systems installed from artifacts generated before this release are not impacted.

On systems with SELinux enabled and in enforcing mode, access to those files is limited to unconfined (usually interactive) users, unconfined systemd services and privileged containers. Confined daemons, users and containers are not able to access them.

Patches

The patches for rpm-ostree are available in #4911. They include a systemd unit to fix existing systems on update.

Workarounds

To immediately fix existing systems, you can run the following command as root:

chmod --verbose 0000 /etc/shadow /etc/gshadow /etc/shadow- /etc/gshadow-

References

This issue was inadvertently introduced in #4503, which was first released in rpm-ostree v2023.6.

Affected projects

rpm-ostree v2023.6 was never released in Fedora, but v2023.7 was first in bodhi stable in early September 2023.

See CVE-2024-2905 for impacted Red Hat products.

Fedora CoreOS

Fedora CoreOS versions were affected when rpm-ostree-2023.7-1 entered the CoreOS Assembler build container. Tracing the testing-devel stream, the last good and first bad were:

  • 38.20230904.20.0 -> good
  • 38.20230906.20.1 -> bad

So the bad version of rpm-ostree got into CoreOS Assembler ~09/06/2023. Here are the last good and first bad for each of our production streams:

  • stable
    • 38.20230819.3.0 -> good
    • 38.20230902.3.0 -> bad
  • testing
    • 38.20230902.2.0 -> good
    • 38.20230902.2.1 -> bad
  • next
    • 38.20230902.1.0 -> good
    • 38.20230902.1.1 -> bad

Fedora Atomic Desktops and Fedora IoT

Fedora IoT and Fedora Atomic Desktops (Silverblue, Kinoite, Sway Atomic, Budgie Atomic) systems that were installed from Fedora 39 and later release media and ISOs are affected.

System that were installed using Fedora 38 release media and before and which have been updated are NOT impacted.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2024-2905

Credits