Bug 27041

Summary: targetcli new security issue CVE-2020-13867
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=27042
Whiteboard: MGA7-64-OK
Source RPM: targetcli-2.1.fb49-2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-08-05 00:58:42 CEST 
openSUSE has issued an advisory today (August 4):
https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00005.html

Mageia 7 is also affected.
David Walser 2020-08-05 02:19:57 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=27042

Comment 1 David Walser 2020-08-05 02:25:56 CEST 
Fedora has issued an advisory for this on July 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6LANBGRCCZBPKKBD5ZMJS7C7DYAHYR6B/

The issue is fixed upstream in 2.1.53.

Status comment: (none) => Fixed upstream in 2.1.53
Whiteboard: (none) => MGA7TOO

Comment 2 David GEIGER 2020-08-06 11:01:30 CEST 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 3 David Walser 2020-08-06 21:02:13 CEST 
Advisory:
========================

Updated targetcli package fixes security vulnerability:

An access flaw was found in targetcli, where the /etc/target and underneath
backup directory/files were world-readable. This flaw allows a local attacker
to access potentially sensitive information such as authentication credentials
from the /etc/target/saveconfig.json and backup files. The highest threat from
this vulnerability is to confidentiality (CVE-2020-13867).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13867
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6LANBGRCCZBPKKBD5ZMJS7C7DYAHYR6B/
========================

Updated packages in core/updates_testing:
========================
targetcli-2.1.53-1.mga7

from targetcli-2.1.53-1.mga7.src.rpm

Assignee: lists.jjorge => qa-bugs
Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 2.1.53 => (none)
Version: Cauldron => 7

Comment 4 Len Lawrence 2020-08-08 18:44:31 CEST 
mga7, x86_64
Installed targetcli before updating to check file permissions.

/etc/target
drwxr-xr-x  3 root  root     4096 Aug  8 17:16 target/
$ ll /etc/target

# targetcli
Warning: Could not load preferences file /root/.targetcli/prefs.bin.
targetcli shell version 2.1.fb49
/> ls
o- / ..................................................................... [...]
  o- backstores .......................................................... [...]
  | o- block .............................................. [Storage Objects: 0]
  | o- fileio ............................................. [Storage Objects: 0]
  | o- pscsi .............................................. [Storage Objects: 0]
  | o- ramdisk ............................................ [Storage Objects: 0]
  o- iscsi ........................................................ [Targets: 0]
  o- loopback ..................................................... [Targets: 0]
  o- vhost ........................................................ [Targets: 0]
  o- xen-pvscsi ................................................... [Targets: 0]
/> exit
Global pref auto_save_on_exit=true
Configuration saved to /etc/target/saveconfig.json

$ ll /etc/targettotal 8
drwxr-xr-x 2 root root 4096 Jan  7  2019 backup/
-rw------- 1 root root   71 Aug  8 17:16 saveconfig.json

The JSON file is not world readable, backup is 755.

# cd /etc
# rm -rf target

Updated targetcli.
# targetcli
.....
/> exit

# ll target
total 8
drw------- 2 root root 4096 Aug  8 17:27 backup/
-rw------- 1 root root   71 Aug  8 17:27 saveconfig.json

backup/ now 600, so not vulnerable.

Used the example from the man page to test the operation of the shell.

# targetcli
...
/> backstores/fileio create test /tmp/test.img 100m
Created fileio test with size 104857600
/> iscsi/ create iqn.2006-04.com.example:test-targetCreated target iqn.2006-04.com.example:test-target.
Created TPG 1.
Global pref auto_add_default_portal=true
Created default portal listening on all IPs (0.0.0.0), port 3260.
/> cd iscsi/iqn.2006-04.com.example:test-target/tpg1/
/iscsi/iqn.20...t-target/tpg1> set attribute generate_node_acls=1
Parameter generate_node_acls is now '1'.
/iscsi/iqn.20...t-target/tpg1> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup/.
Configuration saved to /etc/target/saveconfig.json

# ll
total 8
drw------- 2 root root 4096 Aug  8 17:40 backup/
-rw------- 1 root root 3722 Aug  8 17:40 saveconfig.json

Good enough.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-08-11 02:10:52 CEST 
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2020-08-18 18:17:45 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-08-18 19:43:11 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0326.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED