Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04NjJnLTloNW0tbTNxds0W6A
coreos-installer < 0.10.0 writes world-readable Ignition config to installed system
Impact
On systems installed with coreos-installer before 0.10.0, the user-provided Ignition config was written to /boot/ignition/config.ign with world-readable permissions, granting unprivileged users access to any secrets included in the config.
Default configurations of Fedora CoreOS and RHEL CoreOS do not include any unprivileged user accounts. In addition, instances launched from a cloud image, and systems provisioned with the ignition.config.url kernel argument, do not use the config.ign file and are unaffected.
Patches
coreos-installer 0.10.0 and later writes the Ignition config with restricted permissions.
Workarounds
On Fedora CoreOS systems installed from version 34.20210711.3.0 (stable), 34.20210711.2.0 (testing), 34.20210711.1.1 (next) and later, the /boot/ignition directory and its contents are removed after provisioning is complete. All Fedora CoreOS systems that have updated to these versions or later have automatically removed the /boot/ignition directory and no action is required.
On other systems, /boot/ignition/config.ign can be removed manually, as it is not used after provisioning is complete:
sudo mount -o remount,rw /boot
sudo rm -rf /boot/ignition
References
For more information, see https://github.com/coreos/fedora-coreos-tracker/issues/889.
For more information
If you have any questions or comments about this advisory, open an issue in coreos-installer or email the CoreOS development mailing list.
Permalink: https://github.com/advisories/GHSA-862g-9h5m-m3qvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NjJnLTloNW0tbTNxds0W6A
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-862g-9h5m-m3qv, CVE-2021-3917
References:
- https://github.com/coreos/coreos-installer/security/advisories/GHSA-862g-9h5m-m3qv
- https://github.com/coreos/coreos-installer/commit/2a36405339c87b16ed6c76e91ad5b76638fbdb0c
- https://github.com/coreos/coreos-installer/releases/tag/v0.10.0
- https://nvd.nist.gov/vuln/detail/CVE-2021-3917
- https://github.com/coreos/fedora-coreos-tracker/issues/889
- https://access.redhat.com/security/cve/CVE-2021-3917
- https://bugzilla.redhat.com/show_bug.cgi?id=2018478
- https://github.com/advisories/GHSA-862g-9h5m-m3qv
Blast Radius: 0.0
Affected Packages
cargo:coreos-installer
Dependent packages: 0Dependent repositories: 1
Downloads: 18,619 total
Affected Version Ranges: < 0.10.0
Fixed in: 0.10.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.9.0, 0.9.1
All unaffected versions: 0.10.0, 0.10.1, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 0.16.0, 0.16.1, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0