logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-3917 coreos-installer

Package

Manager: cargo
Name: coreos-installer
Vulnerable Version: >=0 <0.10.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00106 pctl0.29341

Details

coreos-installer < 0.10.0 writes world-readable Ignition config to installed system ### Impact On systems installed with coreos-installer before 0.10.0, the user-provided Ignition config was written to `/boot/ignition/config.ign` with world-readable permissions, granting unprivileged users access to any secrets included in the config. Default configurations of Fedora CoreOS and RHEL CoreOS do not include any unprivileged user accounts. In addition, instances launched from a cloud image, and systems provisioned with the `ignition.config.url` kernel argument, do not use the `config.ign` file and are unaffected. ### Patches coreos-installer 0.10.0 and later [writes](https://github.com/coreos/coreos-installer/pull/571) the Ignition config with restricted permissions. ### Workarounds On Fedora CoreOS systems installed from version 34.20210711.3.0 (stable), 34.20210711.2.0 (testing), 34.20210711.1.1 (next) and later, the `/boot/ignition` directory and its contents are removed after provisioning is complete. All Fedora CoreOS systems that have updated to these versions or later have automatically removed the `/boot/ignition` directory and no action is required. On other systems, `/boot/ignition/config.ign` can be removed manually, as it is not used after provisioning is complete: ``` sudo mount -o remount,rw /boot sudo rm -rf /boot/ignition ``` ### References For more information, see https://github.com/coreos/fedora-coreos-tracker/issues/889. ### For more information If you have any questions or comments about this advisory, [open an issue in coreos-installer](https://github.com/coreos/coreos-installer/issues/new/choose) or email the CoreOS [development mailing list](https://lists.fedoraproject.org/archives/list/coreos@lists.fedoraproject.org/).

Metadata

Created: 2021-11-08T18:01:13Z
Modified: 2022-09-08T14:25:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-862g-9h5m-m3qv/GHSA-862g-9h5m-m3qv.json
CWE IDs: ["CWE-276"]
Alternative ID: GHSA-862g-9h5m-m3qv
Finding: F056
Auto approve: 1