ghsa-862g-9h5m-m3qv
Vulnerability from github
Published
2021-11-08 18:01
Modified
2022-09-08 14:25
Summary
coreos-installer < 0.10.0 writes world-readable Ignition config to installed system
Details

Impact

On systems installed with coreos-installer before 0.10.0, the user-provided Ignition config was written to /boot/ignition/config.ign with world-readable permissions, granting unprivileged users access to any secrets included in the config.

Default configurations of Fedora CoreOS and RHEL CoreOS do not include any unprivileged user accounts. In addition, instances launched from a cloud image, and systems provisioned with the ignition.config.url kernel argument, do not use the config.ign file and are unaffected.

Patches

coreos-installer 0.10.0 and later writes the Ignition config with restricted permissions.

Workarounds

On Fedora CoreOS systems installed from version 34.20210711.3.0 (stable), 34.20210711.2.0 (testing), 34.20210711.1.1 (next) and later, the /boot/ignition directory and its contents are removed after provisioning is complete. All Fedora CoreOS systems that have updated to these versions or later have automatically removed the /boot/ignition directory and no action is required.

On other systems, /boot/ignition/config.ign can be removed manually, as it is not used after provisioning is complete:

sudo mount -o remount,rw /boot sudo rm -rf /boot/ignition

References

For more information, see https://github.com/coreos/fedora-coreos-tracker/issues/889.

For more information

If you have any questions or comments about this advisory, open an issue in coreos-installer or email the CoreOS development mailing list.

Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "coreos-installer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3917"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-04T17:11:09Z",
    "nvd_published_at": "2022-08-23T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nOn systems installed with coreos-installer before 0.10.0, the user-provided Ignition config was written to `/boot/ignition/config.ign` with world-readable permissions, granting unprivileged users access to any secrets included in the config.\n\nDefault configurations of Fedora CoreOS and RHEL CoreOS do not include any unprivileged user accounts.  In addition, instances launched from a cloud image, and systems provisioned with the `ignition.config.url` kernel argument, do not use the `config.ign` file and are unaffected.\n\n### Patches\ncoreos-installer 0.10.0 and later [writes](https://github.com/coreos/coreos-installer/pull/571) the Ignition config with restricted permissions.\n\n### Workarounds\n\nOn Fedora CoreOS systems installed from version 34.20210711.3.0 (stable), 34.20210711.2.0 (testing), 34.20210711.1.1 (next) and later, the `/boot/ignition` directory and its contents are removed after provisioning is complete. All Fedora CoreOS systems that have updated to these versions or later have automatically removed the `/boot/ignition` directory and no action is required.\n\nOn other systems, `/boot/ignition/config.ign` can be removed manually, as it is not used after provisioning is complete:\n\n```\nsudo mount -o remount,rw /boot\nsudo rm -rf /boot/ignition\n```\n\n### References\nFor more information, see https://github.com/coreos/fedora-coreos-tracker/issues/889.\n\n### For more information\nIf you have any questions or comments about this advisory, [open an issue in coreos-installer](https://github.com/coreos/coreos-installer/issues/new/choose) or email the CoreOS [development mailing list](https://lists.fedoraproject.org/archives/list/coreos@lists.fedoraproject.org/).",
  "id": "GHSA-862g-9h5m-m3qv",
  "modified": "2022-09-08T14:25:48Z",
  "published": "2021-11-08T18:01:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/coreos/coreos-installer/security/advisories/GHSA-862g-9h5m-m3qv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3917"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coreos/fedora-coreos-tracker/issues/889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coreos/coreos-installer/commit/2a36405339c87b16ed6c76e91ad5b76638fbdb0c"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2021-3917"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2018478"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coreos/coreos-installer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coreos/coreos-installer/releases/tag/v0.10.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "coreos-installer \u003c 0.10.0 writes world-readable Ignition config to installed system"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.